Re: SYN flood messages flooding my mailbox
Curtis Villamizar <curtis@ans.net> wrote:
2. Filter based on source address on inbound packets from singly homed sites.
A singly homed site cannot have assymetric routing since there is no ohter path.
The site does not have to be single-homed for filtering to be applicable. If you relax criteria for reverse-route filtering to "known route" instead of "best route" then any customer (non-transit) AS can be filtered safely at border routers. Making that the default behaviour on customer-access routers would eliminate scource-address spoofing completely. As a remark -- the SYN flooding attack is by far not the only one which benefits from source address spoofing. There are far more destructive attacks (like, resetting BGP sessions; or Steve Bellovin's blind TCP spoofing) which do not require high packet voulmes and therefore are not easily traceable. As for traceability -- fat load of good it does to you if you discover that the hacker was smart enough to use an unprotected box somewhere in Taiwan or Brazil as a staging poing for attack. I've had situations when i traced attacks to places like that and was anything but unable to explain local sysadmins what i wanted from them. Simply because they don't speak English at all. There are places where they simply don't have any laws in regard to computer crime, and no Interpol offices. Any really malicious attacker with more than two neurons would be out of your reach, and unhindered. BTW, the enforcement of source address authenticity allows for automated SYN flooding attack defenses -- if your host sees a stream of SYNs at a rate more than X pps it simply starts to ignore the SYNs from that particular source! (A simple algorithm would take care of roaming sources within some network -- you just sort SYNs by buckets of different sizes and shut down those which have SYN rate counts higher than some threshold). --vadim
The talk I hear in the one ISP's office there: - Boss: This crasy hacker in Singapoor have to dead! - System manager responsible for security (hacker in the past) - OK, sir. 10 minutes later: - Sys. man: Here is this computer. I am ready to make 'rm -rf', ok? - Boss: OK ... And then - no any problems from this site in 1 year -:) This is not good solution but it works. I case if there is not Interpol in this area - there is 'rm -rf /' -:) --- Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
In message <199609161940.MAA00329@quest.quake.net>, Vadim Antonov writes:
Curtis Villamizar <curtis@ans.net> wrote:
2. Filter based on source address on inbound packets from singly homed sites.
A singly homed site cannot have assymetric routing since there is no ohter path.
The site does not have to be single-homed for filtering to be applicable.
If you relax criteria for reverse-route filtering to "known route" instead of "best route" then any customer (non-transit) AS can be filtered safely at border routers.
And if the "known route" is know by another router but suppressed from IBGP advertisement because there is a better route .. Or if the "known route" goes through an AS that uses YOU as their best route but the reverse traffic goes a different way.. Both of these cases and other cause a blackhole. Of course, if by "known route" you mean known because it is in the IRR, and the IRR is known to be reliable, then I accept your argument but caution that the IRR is not always reliable, but this is yet another reason to make it more reliable.
As for traceability -- fat load of good it does to you if you discover that the hacker was smart enough to use an unprotected box somewhere in Taiwan or Brazil as a staging poing for attack. I've had situations when i traced attacks to places like that and was anything but unable to explain local sysadmins what i wanted from them. Simply because they don't speak English at all. There are places where they simply don't have any laws in regard to computer crime, and no Interpol offices. Any really malicious attacker with more than two neurons would be out of your reach, and unhindered.
We've had providers shut down sites because they were slow to address hacking launched from their site. In one case an NSFNET regional shut down a large university because their CS department just said "security is a hard problem" and refused to do anything. After 4 days of no Internet access they had things quite thoroughly cleaned up. The hacker in this case may very well have been Mitnick because it similar attacks were seen from Netcom and were those that hit SDSC and both the Netcom and university attacks occurred about a month prior to Mitnick getting caught.
BTW, the enforcement of source address authenticity allows for automated SYN flooding attack defenses -- if your host sees a stream of SYNs at a rate more than X pps it simply starts to ignore the SYNs from that particular source! (A simple algorithm would take care of roaming sources within some network -- you just sort SYNs by buckets of different sizes and shut down those which have SYN rate counts higher than some threshold).
Shutting down the source is a lot easier if you know the source.
--vadim
Curtis
participants (3)
-
alex@relcom.EU.net
-
Curtis Villamizar
-
Vadim Antonov