At 10:47 AM 9/17/96 -0700, Michael Dillon wrote:
Some part of the discussion involves the technical details of hardening OS kernels as well as a couple of alternate solutions for defending against the attacks involving either a SYN proxy or a machine feeding RST's. These technical details belong on the firewalls list because the people on that list work with building DEFENSIVE mechanisms.
Except that what we need are routers implementing traffic filtering on ISP input ports rather than firewalls defending customer premises from attacks coming from the ISPs. I think we are dealing with two different markets and two different groups of people. I don't think that ISPs will protect themselves from this denial of service attack with firewalls. This is a router requirement.
inet-access and other ISP mailing lists are most relevant for the PREVENTION of SYN flood attacks. This is where we need to hammer home the need for filtering outgoing routes.
Filtering incoming traffic against legitimate source addresses. The most important point is that if we all decide that defense and tracing are of limited utility and that filtering is the only way to stop these attacks, then we need a few people who read the nanog and iepg lists to stand up and say "I will filter and I expect you to do the same if you want to peer with me." Otherwise, it will be difficult for any single ISP to justify being the first to install peripheral filtering. We must have a consensus to move on this issue. Call it "peer pressure". :-) --Kent
On Tue, 17 Sep 1996, Kent W. England wrote:
the attacks involving either a SYN proxy or a machine feeding RST's. These technical details belong on the firewalls list because the people on that list work with building DEFENSIVE mechanisms.
Except that what we need are routers implementing traffic filtering on ISP input ports rather than firewalls defending customer premises from attacks coming from the ISPs.
We need both.
I think we are dealing with two different markets and two different groups of people. I don't think that ISPs will protect themselves from this denial of service attack with firewalls. This is a router requirement.
Whether you put the firewall capability in a router or a seperate box does not matter. The firewalls list is for people who want to talk about different defensive strategies and how to implement them.
The most important point is that if we all decide that defense and tracing are of limited utility and that filtering is the only way to stop these attacks, then we need a few people who read the nanog and iepg lists to stand up and say "I will filter and I expect you to do the same if you want to peer with me." Otherwise, it will be difficult for any single ISP to justify being the first to install peripheral filtering. We must have a consensus to move on this issue. Call it "peer pressure". :-)
You can also frighten people like so... Copyright 1996 by Michael Dillon, All Rights Reserved By now everyone is well aware of the exploits of the legendary hacker Kevin Mitnick who broke into computers at the San Diego Supercomputer Center administered by Tsutomu Shimomura by using a couple of techniques known as source spoofing and SYN flooding. But few people are aware that these techniques have now been mastered by many other hackers estimated to be 20,000 strong in the USA alone. And surprisingly, few Internet sites have protected themselves from such attacks by installing simple source address filters on their routers. A variation on this type of attack shut down a New York ISP for hours at a time over a four day period early in September. Anyone responsible for any services connected to the Internet should see to it that basic source address filters are installed in their routers. These filters will ensure that no packets can enter your network pretending to be from a trusted machine inside your network. And they will prevent packets from leaving your network unless they have proper local source addresses on them. The incoming filters will protect you from external spoofing attacks by hackers while the outgoing filters will ensure that you cannot be used as a launching board for hacker attacks and thus protect you from legal liability. -----------------end of sample--------- Add some technical details on how to implement source address filtering and you will get LOTS of sites to install these filters. The copyright notice is up there because I intend to approach various magazine editors regarding an article on the subject. But if somebody wants to take a similar approach on a web page or a mailing list or at LISA or at NANOG or wherever, I think this is an effective angle to take. You know what they say; most people don't get the message until they read something for the SEVENTH time. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
It is also important to remember that the SYN attack is only one in a class of one-way denial-of-service attacks. While hardening the servers on the net against this kind of attack is important (and is the province of the server/OS vendors, not the router or firewall vendors), the most effective way to end a denial of service attack is to trace it to its source, and terminate it there. To be able to trace without doing a lot of link-by-link guesswork, the edges of the network need to be filtered, such that no customer of any ISP or NSP can inject packets into the Internet that are not part of the customer's assigned address space. This will give us a first approximation of an ability to figure out where this stuff comes from. While it's harder to trace if we get less than 100% compliance, if we get 60%, we know were to start looking for the perps - the remaining 40%. The other nice effect of this requirement is that, in the implementations that I am aware of, it's cheaper to filter one big CIDR block than a bazillion disjoint address spaces, thus adding one more thump to the drumbeat for CIDR. It is time for a Best Common Practice document. Erik Fair
participants (3)
-
Erik E. Fair
-
Kent W. England
-
Michael Dillon