This company has a tool that will supposedly alleviate the effects of a SYN attack. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com ---------- Forwarded message ---------- Date: Fri, 13 Sep 1996 10:56:28 -0400 (EDT) From: Christopher Klaus <cklaus@iss.net> To: firewalls@GreatCircle.COM Subject: SYN Flooding [info] [Below we have a software tool that will recognize SYN floods and correct the problem.] Possible solution to SYN Flooding attacks The attack is on! Both 2600 and Phrack, 2 of the biggest well-known underground hacking magazines, have posted exploit code to do one of the nastiest denial of service attacks that the Internet has seen so far. Hundreds of people have access to these programs to bring down services on the Internet. Many of these people are targeting their attacks at various organizations such as ISP. Panix, an ISP, has been under attack for quite a few days now and they have not been able to receive email. Many other ISPs are suffering from the SYN flood attack. This attack is being discussed on many mailing lists, newsgroups, and Thursday's Wall Street Journal (9/12/96). Fortunately a solution already exists as we discuss below. Everyone connected to the Internet relies on TCP/IP. When you establish a connection with TCP, you do a 3-way handshake. The connecting host sends a SYN packet to the receiving host. The receiving host sends a SYN|ACK packet back and to fully establish a connection, the connecting host finally responds with an ACK packet. In a SYN flood attack, an attacker host sends many SYN packets and does not respond with an ACK to the SYN|ACK's. As the receiving host is waiting for more and more ACK's, the buffer queue will fill up and the receiving machine can no longer accepts legitimate connections. This means that attackers can block your email, web, or any other service you are providing on the Internet. To even make this attack worse, the code exploiting the problem randomizes the source address of the attacking host. Thus, the receiving machine gets packets that appear to be from all over the Internet, hiding the location of the attacker. Solution There are several things we can do to stop these attacks from being effective. With the routers for most ISP, they should be blocking any non-internal addresses from leaving their network and going to the Internet. This will stop an attacker if their ISP implements this. Unfortunately, this does not stop an attack from areas on the Internet that do not block that. But at least the ISP can feel comfortable to know that an attacker can not launch his attack from that ISP. Here are two methods of helping eliminate the problem. Some of the exploit code I have seen does not pick a random source port. It would be easy to block the attack with a router denying any packets coming from a specific source port. This may not be too effective because of the trivial nature of adding code to randomize the source port, sequence number, source address, and TTL. But it might help you temporarily if you notice the attacks have any pattern that can be blocked by router rules. Another way to fix this is to set the kernel maximum number of half open connections allowed (SO_MAXCONN) to a higher number than the default value. We have a tool that will look for SYN packets that do not get followed with ACK and clean the half open connections by sending a RST packet. This unclogs the port and allows legitimate connections to happen. This tool is called RealSecure (tm). To obtain a copy of the RealSecure tool, send email to majordomo@Iss.net and within the body of the message, type: subscribe realsecure RealSecure (tm) is a comprehensive attack recognition and real time response tool that ISS is alpha testing and will expire in 60 days. -- Christopher William Klaus Voice: (770)395-0150. Fax: (770)395-1972 Internet Security Systems, Inc. "Internet Scanner finds Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes Web: http://www.iss.net/ Email: cklaus@iss.net before the hackers do."
The attack is on! Both 2600 and Phrack, 2 of the biggest well-known underground hacking magazines, have posted exploit code to do one of the nastiest denial of service attacks that the Internet has seen so far. Hundreds of people have access to these programs to bring down services on the Internet. Many of these people are targeting their attacks at various organizations such as ISP. Panix, an ISP, has been under attack for quite a few days now and they have not been able to receive email. Many other
The reporting on these events has sucked big-time. Panix couldn't receive mail for two multiple-hour periods. After that, telnet and web ports were attacked. We're not going to talk about implementations, but some solutions have been implemented. Alexis feels that it's very important to get wide press coverage, to help to force ISPs/NSPs to filter outbound crap from their network. I agree that everyone from the small to the large regional should do this.
Another way to fix this is to set the kernel maximum number of half open connections allowed (SO_MAXCONN) to a higher number than the default value.
Or eliminate it; a Sparc 1+ has been able to handle over 1000 syns/sec while still serving w/ no SO_MAXCONN (the test eliminated in the kernel) and with the SYN timeout set to 7 seconds (a bit aggressive, we may use 15 seconds when we put these patches in permanently tomorrow).
We have a tool that will look for SYN packets that do not get followed with ACK and clean the half open connections by sending a RST packet. This unclogs the port and allows legitimate connections to happen. This tool is called RealSecure (tm). To obtain a copy of the RealSecure tool, send email to majordomo@Iss.net and within the body of the message, type:
subscribe realsecure
RealSecure (tm) is a comprehensive attack recognition and real time response tool that ISS is alpha testing and will expire in 60 days.
This sounds very good... Maybe someone will even post a free, limited-function one as goodwill.
-- Christopher William Klaus Voice: (770)395-0150. Fax: (770)395-1972 Internet Security Systems, Inc. "Internet Scanner finds Ste. 660,41 Perimeter Center East,Atlanta,GA 30346 your network security holes Web: http://www.iss.net/ Email: cklaus@iss.net before the hackers do."
Avi
Alexis feels that it's very important to get wide press coverage, to help to force ISPs/NSPs to filter outbound crap from their network.
While I agree with the goal here, I've been a bit disturbed by the undercurrent of antipathy toward 'clueless small ISPs'. I'm as small as ISPs come, and I've been outbound filtering against source addresses not in my address space at least since last April. How many of the clueful here can say that? Not many, I'll venture. For that matter, when did Alexis begin filtering outbound? I'd like the concept changed from 'forcing' to 'educating' and to have it done without disparagement for not already knowing. -- Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY stpeters@NetHeaven.com Owner, NetHeaven 518-885-1295/800-910-6671 Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake First Internet service based in the 518 area code
Alexis feels that it's very important to get wide press coverage, to help to force ISPs/NSPs to filter outbound crap from their network.
While I agree with the goal here, I've been a bit disturbed by the undercurrent of antipathy toward 'clueless small ISPs'. I'm as small as ISPs come, and I've been outbound filtering against source addresses not in my address space at least since last April. How many of the clueful here can say that? Not many, I'll venture. For that matter, when did Alexis begin filtering outbound?
I'd like the concept changed from 'forcing' to 'educating' and to have it done without disparagement for not already knowing.
Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY
Umm, if you've been outbound filtering against source addresses not in your address space for many moons, then by definition you are not a 'clueless small ISP'... Avi
--> -->> > Alexis feels that it's very important to get wide press coverage, to -->> > help to force ISPs/NSPs to filter outbound crap from their network. -->> -->> While I agree with the goal here, I've been a bit disturbed by the -->> undercurrent of antipathy toward 'clueless small ISPs'. I'm as small -->> as ISPs come, and I've been outbound filtering against source -->> addresses not in my address space at least since last April. How many -->> of the clueful here can say that? Not many, I'll venture. For that -->> matter, when did Alexis begin filtering outbound? -->> -->> I'd like the concept changed from 'forcing' to 'educating' and to have -->> it done without disparagement for not already knowing. -->> -->> Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY --> -->Umm, if you've been outbound filtering against source addresses not in your -->address space for many moons, then by definition you are not a 'clueless -->small ISP'... --> -->Avi --> I have been looking through the Bay Networks MIB specification to see how to filter outbound packets. I understand the concept of filtering outbound packets, but am unable to use their site manager program to implement the filters. I know where to look in the mib, but the MIB specification says, "a binary representation of the filter" here and does not elaborate. If it were a cisco, I could easily filter our outbound traffic. If any of you have access to a bay networks router that is not in production, please consider creating some sample filters so I can figure out how to create my own. or if you have a batch file that does it, that would be nice too. Thanks in advance. -- ------------------------------------------- | Jeremy Hall Network Engineer | | ISDN-Net, Inc Office +1-615-371-1625 | | Nashville, TN and the southeast USA | | jhall@isdn.net Pager +1-615-702-0750 | -------------------------------------------
participants (4)
-
Avi Freedman
-
Dick St.Peters
-
Michael Dillon
-
Mr. Jeremy Hall