RE: New Denial of Service Attack on Panix
From: Paul A Vixie[SMTP:paul@vix.com] Sent: Monday, September 16, 1996 9:44 PM
Rather than "educate the enemy" via public discussion, I think it would be best if those capable of contributing to solutions to this problem:
1. Collaborated in private 2. Developed a consensus "I-D"
If a solution is developed whose effectiveness is not weakened by making the details public, it can be published. If that is not the case, the solution can be made available in private to "known entities".
Make sense?
No, I don't think it makes sense. Aside from the lawsuits targetting you for conspiracy if you don't include everybody who needs the ongoing partial results in order to stay in business, there is NO solution to this that depends on any kind of algorythmic privacy.
Paul, since you have stepped forward to risk lawsuits from blacklisted spammers, it would only be fair for one of the rest of us to accept liability for this one. Where do I sign up? ;-) I hope you are right, as the public discussion clearly is very worthwhile... -- Jim
Howdy, Could we drop the SYN/Denial thread? It's becoming rather base. I think there are other larger issues at stake in the world, like routing table growth, code problems, and short-thinking providers who don't retain talent to intelligently/reliably grow their network. If the thread is of continued significant benefit, I'd be happy to host a mail list. SYNDRIVEL, there's a name. Perhaps another could be suggested? Please don't thread off that question :-) -alan ......... Jim Browning is rumored to have said: ] ] >From: Paul A Vixie[SMTP:paul@vix.com] ] >Sent: Monday, September 16, 1996 9:44 PM ] > ] >> Rather than "educate the enemy" via public discussion, I think it would ] be ] >> best if those capable of contributing to solutions to this problem: ] >> ] >> 1. Collaborated in private ] >> 2. Developed a consensus "I-D" ] >> ] >> If a solution is developed whose effectiveness is not weakened by making ] >> the details public, it can be published. If that is not the case, the ] >> solution can be made available in private to "known entities". ] >> ] >> Make sense? ] > ] >No, I don't think it makes sense. Aside from the lawsuits targetting you ] >for conspiracy if you don't include everybody who needs the ongoing ] partial ] >results in order to stay in business, there is NO solution to this that ] >depends on any kind of algorythmic privacy. ] ] Paul, since you have stepped forward to risk lawsuits from blacklisted ] spammers, it would only be fair for one of the rest of us to accept ] liability for this one. Where do I sign up? ;-) ] ] I hope you are right, as the public discussion clearly is very ] worthwhile... ] -- ] Jim ] ] ] ] ]
On Tue, 17 Sep 1996, Alan Hannan wrote:
Could we drop the SYN/Denial thread? It's becoming rather base.
The discussion could always be moved to the firewalls list. It's address is firewalls@greatcircle.com with the usual -request address for subscribing via Majordomo.
and short-thinking providers who don't retain talent to intelligently/reliably grow their network.
Now, that's a rather interesting topic, and timely too. Why is this happening? Is it really all that bad? Could it be seen as a way of releasing the talent to help create newer organizations/ventures that can do a better job without being saddled with the baggage of the past? NOTE: before you subscribe to firewalls you may wish to check the archives at http://www.greatcircle.com since it does attract its share of newbies and people looking to buy or sell firewalls for their oddball NT/Novell over token ring type networks. But it *IS* frequented by firewall designers as well. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
Michael Dillon writes:
On Tue, 17 Sep 1996, Alan Hannan wrote:
Could we drop the SYN/Denial thread? It's becoming rather base.
The discussion could always be moved to the firewalls list.
I would suggest that it not be. This is actually a crisis that has to be solved by action taken by service providers working together, and does not involve conventional firewalls per se. I would say that it is therefore germane to Nanog. Perry
On Tue, 17 Sep 1996, Perry E. Metzger wrote:
Michael Dillon writes:
On Tue, 17 Sep 1996, Alan Hannan wrote:
Could we drop the SYN/Denial thread? It's becoming rather base.
The discussion could always be moved to the firewalls list.
I would suggest that it not be. This is actually a crisis that has to be solved by action taken by service providers working together, and does not involve conventional firewalls per se. I would say that it is therefore germane to Nanog.
If we're voting, I'd say inet-access. SYN attacks and defense are more centered on the ISP's than the backbones. --- David Miller ---------------------------------------------------------------------------- It's *amazing* what one can accomplish when one doesn't know what one can't do!
On Tue, 17 Sep 1996, Perry E. Metzger wrote:
Michael Dillon writes:
On Tue, 17 Sep 1996, Alan Hannan wrote:
Could we drop the SYN/Denial thread? It's becoming rather base.
The discussion could always be moved to the firewalls list.
I would suggest that it not be. This is actually a crisis that has to be solved by action taken by service providers working together, and does not involve conventional firewalls per se. I would say that it is therefore germane to Nanog.
If we're voting, I'd say inet-access. SYN attacks and defense are more centered on the ISP's than the backbones.
--- David Miller
Sigh. My feeling is that host-based solutions should be discussed on inet-access, but mentioned briefly also on nanog so that providers can note them to give pointers to their customers. And there probably is too much SYN-related traffic on nanog anyway. The plea has been made: You should - or you should encourage your customers to - filter garbage inbound to you from them or outbound from them to you. You should come up with a plan to nail the source of SYN attacks quickly if the trail leads to your network as the source. Avi
From: Avi Freedman <freedman@netaxs.com> Subject: Re: New Denial of Service Attack on Panix
Sigh. My feeling is that host-based solutions should be discussed on inet-access, but mentioned briefly also on nanog so that providers can note them to give pointers to their customers.
And there probably is too much SYN-related traffic on nanog anyway. The plea has been made: You should - or you should encourage your customers to - filter garbage inbound to you from them or outbound from them to you. You should come up with a plan to nail the source of SYN attacks quickly if the trail leads to your network as the source.
Short term, this discussion seems appropriate for nanog. On topic: Most of the discussion has been about stopping these general kinds of attacks from dial-up providers, ISP's. I've not heard much about what seems to be the other major source of potential problems, namely universities and schools.. They seem to provide a somewhat more involved challenge in the effort to source filter outbound packets. It's hard to imagine an NSP that is serving a regional attempting to put packet filters on a 7xxx servicing a fully loaded ds3 or two that is connected to a regional, much less the management nightmare that upkeeping that filter would be. So it has to happen closer to the source. It would be interesting to hear an opinion from some networking folks at the regionals or at campuses about whether this kind of filtering can or will be done... RobS Disclaimer - This is *not* an attempt to slam anybody, just to discuss..
David Miller wrote:
On Tue, 17 Sep 1996, Perry E. Metzger wrote:
Michael Dillon writes:
On Tue, 17 Sep 1996, Alan Hannan wrote:
Could we drop the SYN/Denial thread? It's becoming rather base.
The discussion could always be moved to the firewalls list.
I would suggest that it not be. This is actually a crisis that has to be solved by action taken by service providers working together, and does not involve conventional firewalls per se. I would say that it is therefore germane to Nanog.
If we're voting, I'd say inet-access. SYN attacks and defense are more centered on the ISP's than the backbones.
Those of us running backbones (well, some of us, anyway) are spending a portion of our energies tracing these attacks. The discussion here is proving helpful, and I definitely think it should continue. What sort of experiences have people had eliciting cooperation from other providers, when attempting to trace? I'm currently attempting to trace one, and have gotten it to the edge of our network, but have spent the last twelve hours attempting to get cooperation from the NSP at mae-west I've tracked it to. +j
Jeff Rizzo writes:
Those of us running backbones (well, some of us, anyway) are spending a portion of our energies tracing these attacks. The discussion here is proving helpful, and I definitely think it should continue.
What sort of experiences have people had eliciting cooperation from other providers, when attempting to trace?
Largely bad ones :(
I'm currently attempting to trace one, and have gotten it to the edge of our network, but have spent the last twelve hours attempting to get cooperation from the NSP at mae-west I've tracked it to.
We need to get some sort of rapid response system going so that people can know who to call to get cooperation quickly -- the phone tag problem alone right now is causing significant damage... Perry
On Tue, 17 Sep 1996, David Miller wrote:
Could we drop the SYN/Denial thread? It's becoming rather base.
The discussion could always be moved to the firewalls list.
Some part of the discussion involves the technical details of hardening OS kernels as well as a couple of alternate solutions for defending against the attacks involving either a SYN proxy or a machine feeding RST's. These technical details belong on the firewalls list because the people on that list work with building DEFENSIVE mechanisms.
I would suggest that it not be. This is actually a crisis that has to be solved by action taken by service providers working together, and does not involve conventional firewalls per se. I would say that it is therefore germane to Nanog.
Quite correct. We need better ways to trace the source of these attacks. We need more cooperation between providers. We need educational material that explains who should do what.
If we're voting, I'd say inet-access. SYN attacks and defense are more centered on the ISP's than the backbones.
inet-access and other ISP mailing lists are most relevant for the PREVENTION of SYN flood attacks. This is where we need to hammer home the need for filtering outgoing routes. So far we have come up with detailled instructions for configuring a Cisco, a Livingston and a Bay router to block SYN spoofing. I'd like to see instructions for a FreeBSD/Linux box running ipfwadm as well. Any others? I suppose it is relevant to tell ISP's to install hardened OS kernels but if they don't then it only hurts them, not the rest of the net. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com
Alan Hannan writes:
Could we drop the SYN/Denial thread? It's becoming rather base.
I think there are other larger issues at stake in the world, like routing table growth, code problems, and short-thinking providers who don't retain talent to intelligently/reliably grow their network.
I think you are seriously underestimating the damage caused by this problem. We've already had at least one ISP nearly shut down by this, threatening people's livelyhoods. If someone shut down GI.NET with this tool, you would probably find it to be a pretty damn critical problem from your perspective. This is a far bigger immediate threat than routing table growth. If fixes aren't deployed soon, the internet will be in serious trouble. Luckily, as with most internet crises, we will deploy fixes and get around this -- the internet is not going to die. However, I will point out the reason that the internet doesn't die when we have crises is that we deploy fixes. We will survive this, BUT ONLY IF WE TAKE IT SERIOUSLY. I agree that in the *long term*, routing table growth is a bigger problem, since in six months we will have fully fixed this particular problem and routing tables will still be with us. However, if you think long and hard about the sorts of damage that could be done by a sufficiently psychopathic individual using this tool you will realize that having routes depends on having an internet that functions, and that keeping the internet functioning at all is no less important than having it function in the long term. We must fix this problem now, and until the majority of ISPs are filtering their outbound packets, the topic must remain important. So, if you want us to quit talking about it, please do your part. Is GI.NET filtering its outbound packets yet? Perry
participants (8)
-
Alan Hannan
-
Avi Freedman
-
David Miller
-
Jim Browning
-
Michael Dillon
-
Perry E. Metzger
-
riz@netcom.com
-
Rob Skrobola