Re: Denial of service attacks apparently from UUNET Netblocks
Let me try again, since it seems I wasn't clear enough. There's been a lot of delightful talk about whether/how to retrieve the calling phone on a given port. But none about how to determine with confidence which port the nasty packets come from. Without source address assurance, any user on any port of any dialin box can source packets with any IP address(es) desired. So you don't know which port to go get ANI/CLID for. What is also not explained is how to produce multi-megabit streams from dialup. MP? Multiple independent calls? Ping to broadcast with faked source address? Or was the attack not from dialup at all? In other words, I don't know why this attack generated a debate about ANI/CLID. Barney Wolff
Date: Wed, 8 Oct 1997 10:33:16 -0500 (CDT) From: Joe Shaw <jshaw@insync.net> To: Barney Wolff <barney@databus.com> Cc: nanog@merit.edu Subject: Re: Denial of service attacks apparently from UUNET Netblocks Content-Length: 1151
On Tue, 7 Oct 1997, Barney Wolff wrote:
Date: Tue, 7 Oct 1997 12:04:27 -0400 (EDT) From: Alex Przekupowski <oop@idt.net>
On the MAX's that I have set up, I log that info to syslog (Local 7), and can pull it up at will. If you need a hand, just let me know. By combining the syslog output, and the RADIUS accounting logs, we can definately prove at least the home address of the attacker.
How are you providing source address assurance, on either a MAX or a TNT? My understanding, which may well be flawed, is that the only way is with a filter. I have heard claims, which may also be flawed, that filters have a severe performance impact on MAX and TNT.
Without source address assurance, how do you know that the packets are actually coming from the user who was assigned that address at that time?
Barney Wolff <barney@databus.com>
What he means is that he can provide the number of the person who dialed into his equipment. That information can be given to you on your PRI, and reported in both radius accounting and syslog.
Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services
At 05:57 PM 10/8/97 EDT, Barney Wolff wrote:
Let me try again, since it seems I wasn't clear enough. There's been a lot of delightful talk about whether/how to retrieve the calling phone on a given port. But none about how to determine with confidence which port the nasty packets come from. Without source address assurance, any user on any port of any dialin box can source packets with any IP address(es) desired. So you don't know which port to go get ANI/CLID for.
I have been talking to several vendors for several months regarding setting up filters with variables in them such as $MY_IP which would allow us to do per port per IP filtering based on the IP address which is based on the IP of the person dialed in was assigned either by the NAS or the RADIUS server. I know of at least 2 vendors which will be releasing the "soon". ************************************************************** Justin W. Newton voice: +1-650-482-2840 Senior Network Architect fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net Legislative and Policy Director, ISP/C http://www.ispc.org "The People You Know. The People You Trust." **************************************************************
On Wed, 8 Oct 1997, Justin W. Newton wrote:
I have been talking to several vendors for several months regarding setting up filters with variables in them such as $MY_IP which would allow us to do per port per IP filtering based on the IP address which is based on the IP of the person dialed in was assigned either by the NAS or the RADIUS server. I know of at least 2 vendors which will be releasing the "soon".
Why not just have the Radius server generate the filter itself based on the assigned IP address? John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801
I think I heard "John A. Tamplin" say:
Why not just have the Radius server generate the filter itself based on the assigned IP address?
Aside from having to reconfigure the router everytime somebody logs on or off? Other than having to have the Radius server run a script which logs into the router and enables (assuming that you are using a Cisco)? Ignoring the problems that Cisco's can have with changing access-lists (especially under high load)? (the list could continue) Other than all those reasons, it would work just fine. :) (okay - maybe I'm Cisco bashing and flaming, but I've seen far too many service interruptions caused by changing access-lists to ignore the issue) ----- -matthew
On Wed, 8 Oct 1997, Matthew V. J. Whalen wrote:
I think I heard "John A. Tamplin" say:
Why not just have the Radius server generate the filter itself based on the assigned IP address?
Aside from having to reconfigure the router everytime somebody logs on or off? Other than having to have the Radius server run a script which logs into the router and enables (assuming that you are using a Cisco)? Ignoring the problems that Cisco's can have with changing access-lists (especially under high load)? (the list could continue) Other than all those reasons, it would work just fine. :)
(okay - maybe I'm Cisco bashing and flaming, but I've seen far too many service interruptions caused by changing access-lists to ignore the issue)
Well, the original topic was about Ascend, and that is what we run here. As part of the Radius response to the NAS, you can include arbitrary filters to apply to that specific connection. Now, you do pay for that in terms of performance, but the Radius server can supply a specific filter for every connection. Of course, none of the stock Radius servers support that but I am sure everyone has local hacks anyway. For example, all of our authentication information (and usage logs) are maintained in an Informix database. John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801
On Wed, Oct 08, 1997 at 08:44:00PM -0500, John A. Tamplin wrote:
On Wed, 8 Oct 1997, Matthew V. J. Whalen wrote:
I think I heard "John A. Tamplin" say:
Why not just have the Radius server generate the filter itself based on the assigned IP address?
Aside from having to reconfigure the router everytime somebody logs on or off? Other than having to have the Radius server run a script which logs into the router and enables (assuming that you are using a Cisco)? Ignoring the problems that Cisco's can have with changing access-lists (especially under high load)? (the list could continue) Other than all those reasons, it would work just fine. :)
(okay - maybe I'm Cisco bashing and flaming, but I've seen far too many service interruptions caused by changing access-lists to ignore the issue)
Well, the original topic was about Ascend, and that is what we run here. As part of the Radius response to the NAS, you can include arbitrary filters to apply to that specific connection. Now, you do pay for that in terms of performance, but the Radius server can supply a specific filter for every connection. Of course, none of the stock Radius servers support that but I am sure everyone has local hacks anyway. For example, all of our authentication information (and usage logs) are maintained in an Informix database.
To belabor the obvious, remember that not all dialups are hosts; what you need to set as the filter on the source addresses is a _netmask_. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
On Wed, 8 Oct 1997, Jay R. Ashworth wrote:
To belabor the obvious, remember that not all dialups are hosts; what you need to set as the filter on the source addresses is a _netmask_.
And for those, you aren't dynamically assigning the addresses so it is easy to build a filter for them. John Tamplin Traveller Information Services jat@Traveller.COM 2104 West Ferry Way 205/883-4233x7007 Huntsville, AL 35801
On Wed, Oct 08, 1997 at 11:09:35PM -0500, John A. Tamplin wrote:
On Wed, 8 Oct 1997, Jay R. Ashworth wrote:
To belabor the obvious, remember that not all dialups are hosts; what you need to set as the filter on the source addresses is a _netmask_.
And for those, you aren't dynamically assigning the addresses so it is easy to build a filter for them.
Usually. I could see a circumstance where a small LAN was using an ISDN dial on demand link... You're not dynamically assigning the address... but you _are_ dynamically assigning it to a port. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "People propose, science studies, technology Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
participants (5)
-
Barney Wolff
-
Jay R. Ashworth
-
John A. Tamplin
-
Justin W. Newton
-
Matthew V. J. Whalen