Re: syn attack and source routing
Alexis Rosen <alexis@panix.com> wrote:
Or better yet, the ICMP TRACEROUTE message, which would go hop by hop and on every hop generates a response message. Augmented with PROXY TRACEROUTE which will cause the destination box to send out the ICMP TRACEROUTE.
I'm very surprised that noone has mentioned what seems to me to be the *really* serious drawback to this scheme. Remember how much grief you had the last time someone did a news sendsys forged to your name? (If it's never happened to you, be glad...) This sort of attack got so bad that the default setup these days is to ignore sendsys.
Yes, indeed a single traceroute packet with forged address can generate many responses. However, there is at least one technique to eliminate its usefulness as an attack weapon -- namely source address filtering (which is going to be implemented anyway, sooner or later; there are other types of attacks). Another way is to have ICMP TRACEROUTE to return one packet with all information _and_ the IP address of the next hop router (i.e. replace recursive behaviour with iterative) . It is still more useful than UDP kludge; and it will still work in case of load-sharing. Actually, the "multiplication" type of flooding attacks is nothing new, but they are more easily done on application level. For example, connecting to different SNMP speakers and causing them to send a long error reply to the target address. Or subscribing victim to many many mailing lists (including USENET gateways, urgh!). Or using MBONE feeds creatively. --vadim
(Apologies for resurrecting the old ICMP TRACEROUTE thread.) In message <199609272118.OAA01404@quest.quake.net> Vadim wrote:
Alexis Rosen <alexis@panix.com> wrote:
I'm very surprised that noone has mentioned what seems to me to be the *really* serious drawback to this scheme.
Yes, indeed a single traceroute packet with forged address can generate many responses.
Unless you use a scheme similar to multicast traceroute, which uses a single packet which travels hop-by-hop and gets more information appended to the packet at each hop. There is a hop limit in the packet to be able to do "expanding-length" searches like traceroute does now, or if you set the hop limit to 255 the full path will be traced if every hop supports traceroute and you will get one big answer packet back. Bill
participants (2)
-
Bill Fenner
-
Vadim Antonov