Re: New Denial of Service Attack on Panix
hi, On Tue, 17 Sep 1996, Rob Skrobola <rjs@ans.net> wrote:
On topic: Most of the discussion has been about stopping these general kinds of attacks from dial-up providers, ISP's. I've not heard much about what seems to be the other major source of potential problems, namely universities and schools.. They seem to provide a somewhat more involved challenge in the effort to source filter outbound packets.
good point. in the incidents i've seen here at uc berkeley, about half were sourced from dial-up providers and about half from other universities. however, in the majority of the cases, the source host appeared to be a compromised host, that is, the real perpetrator was actually somewhere else. at least in the university environment, i think you would find that most universities have a central networking group that would be interested in doing the "right thing," given adequate education and resources. for the record, i've been filtering inbound and outbound at uc berkeley since early march 95.
... So it has to happen closer to the source.
works better closer to the source too: the northern uc campuses are working toward utilizing a single ds3 into an isp. if the filtering were done at the isp's interface, the filter would have to permit any packet with a source ip address from any of the 5 northern campus. whereas my filters permit only uc berkeley source ip addresses. i also use some strategically located filters in uc berkeley's interior as well.
... It would be interesting to hear an opinion from some networking folks at the regionals or at campuses about whether this kind of filtering can or will be done...
again, i think educating the local networking groups is a key issue. in uc berkeley's case, kevin mitnick provided the education :-} as well as the opportunity to squeeze extra $$$ out of the university administration for a border router capable of handling the filtering. ken ---------------------------------------------------------------------------- Ken Lindahl lindahl@ack.berkeley.edu Data Communication & Newtorking Services +1-510-642-0866 University of California, Berkeley http://ack.berkeley.edu/~lindahl ----------------------------------------------------------------------------
Ken, I think that you are right on target here. I was thinking that a good way to get the word out to the .edu community might be for someone to deliver a paper on this problem (SYN flood and other source spoofed attacks) at the upcoming LISA. Any takers? Joel On Tue, 17 Sep 1996, Ken Lindahl wrote:
hi,
On Tue, 17 Sep 1996, Rob Skrobola <rjs@ans.net> wrote:
On topic: Most of the discussion has been about stopping these general kinds of attacks from dial-up providers, ISP's. I've not heard much about what seems to be the other major source of potential problems, namely universities and schools.. They seem to provide a somewhat more involved challenge in the effort to source filter outbound packets.
good point. in the incidents i've seen here at uc berkeley, about half were sourced from dial-up providers and about half from other universities. however, in the majority of the cases, the source host appeared to be a compromised host, that is, the real perpetrator was actually somewhere else.
at least in the university environment, i think you would find that most universities have a central networking group that would be interested in doing the "right thing," given adequate education and resources. for the record, i've been filtering inbound and outbound at uc berkeley since early march 95.
... So it has to happen closer to the source.
works better closer to the source too: the northern uc campuses are working toward utilizing a single ds3 into an isp. if the filtering were done at the isp's interface, the filter would have to permit any packet with a source ip address from any of the 5 northern campus. whereas my filters permit only uc berkeley source ip addresses. i also use some strategically located filters in uc berkeley's interior as well.
... It would be interesting to hear an opinion from some networking folks at the regionals or at campuses about whether this kind of filtering can or will be done...
again, i think educating the local networking groups is a key issue. in uc berkeley's case, kevin mitnick provided the education :-} as well as the opportunity to squeeze extra $$$ out of the university administration for a border router capable of handling the filtering.
ken ---------------------------------------------------------------------------- Ken Lindahl lindahl@ack.berkeley.edu Data Communication & Newtorking Services +1-510-642-0866 University of California, Berkeley http://ack.berkeley.edu/~lindahl ----------------------------------------------------------------------------
Ken,
I think that you are right on target here. I was thinking that a good way to get the word out to the .edu community might be for someone to deliver a paper on this problem (SYN flood and other source spoofed attacks) at the upcoming LISA.
Any takers?
Joel
I'd be willing to do it - esp (@ LISA) re: how to harden hosts. Avi
I would urge you to emphasize the router filtering as well as the host hardening. Grab the posts here on router rulesets and perhaps format them up a bit and get Usenix to print them up and hand a copy out to everyone at the conference... Given how close it is to time-zero for LISA in Chicago, you ought to contact the people setting it up asap. -george
participants (4)
-
Avi Freedman
-
George Herbert
-
Joel Gallun
-
Ken Lindahl