Re[4]: SYN floods (was: does history repeat itself?)
Alexis, However if you are filtering on your outbound router to the net, there is still the possbility that a malicious user could spoof addresses as long as they belong to your address space. By moving the filter out to the edge (when you have the equipment) this eliminates that problem as well. Pat R. Calhoun e-mail: pcalhoun@usr.com Project Engineer - Lan Access R&D phone: (847) 933-5181 US Robotics Access Corp. ______________________________ Reply Separator _________________________________ Subject: Re: Re[2]: SYN floods (was: does history repeat itself?) Author: Alexis Rosen <alexis@panix.com> at Internet Date: 9/10/96 2:07 PM Alec H. Peterson writes:
Pat Calhoun writes:
This is actually quite simple to implement on Dial Access Routers, and obviously this is the best place to add the filtering.
Sure, that's a place to start. Except for a few problems:
1) The people doing this are not necessarily using a dialup IP connection.
True. That's why you need to filter upstream of public-access unix boxes (like our own).
2) Many of us don't have dial access routers that can handle this.
Also true. As I said before, I don't know about the Ascends, but I do know that the Xylogics boxes we use have the capability but probably not the capacity. When all ports are connected at 28.8, CPU usage can hover in the high 80% range. Adding filters would probably be a bad idea. That's why I was talking about filtering at a router just upstream from the dial-access box. FWIW, even with a thousand very busy modems, I'm pretty sure that even a small cisco is up to the job. They just don't generate all that much traffic. /a
Pat Calhoun writes:
However if you are filtering on your outbound router to the net, there is still the possbility that a malicious user could spoof addresses as long as they belong to your address space. By moving the filter out to the edge (when you have the equipment) this eliminates that problem as well.
I think thats less of a problem -- spoofing addresses inside the network narrows down your origin enough that you are very likely to be caught or shut down quickly. It might have an advantage in stopping ankle-biter attacks against your own equipment by your users, though. I think that agressively sanity-filtering the net at all junctions is probably a good idea in general, though. Would that we had the CPU power... (Whats needed, I think, is a cheap box that just does filtering. If it did it in hardware, it could be very fast (needed for high speed lines) and possibly even cheap. Perry
Pat Calhoun writes:
Alexis,
However if you are filtering on your outbound router to the net, there is still the possbility that a malicious user could spoof addresses as long as they belong to your address space. By moving the filter out to the edge (when you have the equipment) this eliminates that problem as well.
This is true, but if it is a valid host, the invalid SYNs will do nothing, because the source host will send a RST and the almost-connection will be torn down. And if it isn't a valid host, it will still be _much_ easier to track, because you know in general where it's coming from. Alec -- +------------------------------------+--------------------------------------+ |Alec Peterson - chuckie@panix.com | Panix Public Access Internet and UNIX| |Network Administrator/Architect | New York City, NY | +------------------------------------+--------------------------------------+
"Alec H. Peterson" writes:
This is true, but if it is a valid host, the invalid SYNs will do nothing, because the source host will send a RST and the almost-connection will be torn down. And if it isn't a valid host, it will still be _much_ easier to track, because you know in general where it's coming from.
There are far, far meaner things you can do with a pair of valid hosts, Alec. And no, I don't particularly care to get in to all of them. Perry
Alec H. Peterson writes:
Pat Calhoun writes:
Alexis,
However if you are filtering on your outbound router to the net, there is still the possbility that a malicious user could spoof addresses as long as they belong to your address space. By moving the filter out to the edge (when you have the equipment) this eliminates that problem as well.
If it's not practical, it's not practical. If the dialin boxes haven't got the CPU to filter each customer's connection, you just have to do the next best thing. The strategy I described is the next best thing, and it's pretty far "out to the edge". However, if you're a small provider and you only filter on your boundary to the net, that's still mostly OK as far as the SYN attack problem goes. Yes, the customer can spoof in the provider's IP range, but that makes the attacks easy to trace and very easy to filter.
This is true, but if it is a valid host, the invalid SYNs will do nothing, because the source host will send a RST and the almost-connection will be torn down. And if it isn't a valid host, it will still be _much_ easier to track, because you know in general where it's coming from.
Right. You're getting into a more general issue ("what can you do if you can spoof") here, though. The answer is "lots of really nasty stuff". Just another reason to do aggressive antiforgery filtering. /a
In message <234661D0.3000@usr.com>, Pat Calhoun writes:
Alexis,
However if you are filtering on your outbound router to the net, there is still the possbility that a malicious user could spoof addresses as long as they belong to your address space. By moving the filter out to the edge (when you have the equipment) this eliminates that problem as well.
Pat R. Calhoun e-mail: pcalhoun@usr.com Project Engineer - Lan Access R&D phone: (847) 933-5181 US Robotics Access Corp.
Know what ISP the traffic is coming from is enormously useful compared to "its coming from NSP X" or worse yet, "its coming from someone on Mae-East". That's often were we start from these days. Curtis
participants (5)
-
Alec H. Peterson -
Alexis Rosen -
Curtis Villamizar -
pcalhoun@usr.com -
Perry E. Metzger