[1132] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] inetd and denial-of-service

daemon@ATHENA.MIT.EDU (Speed Racer)
Tue Sep 3 08:02:10 1996

Date: Mon, 2 Sep 1996 18:38:19 -0400 (EDT)
From: Speed Racer <shagboy@dns.bluesky.net>
To: route@onyx.infonexus.com
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <19960827164155.16431.qmail@onyx.infonexus.com>

On Tue, 27 Aug 1996 route@onyx.infonexus.com wrote:

> | explain why a randomly chosen source IP is a bad idea, which was what I 
> | was trying to clarify.
> 
> 	Because you have NO way of verifying if a host is unreachable or
> 	not when you pick an IP address out of thin air.  Just like when
> 	generate a large odd number.  You cannot guarantee it's prime without
> 	testing it for primality...

Big deal.  I can write a program to send out over 100 packets a second
with totally random addresses, and odds are many of them will not be
reachable.  The point is that my program to do it randomly and hope for
the best will still lock up a port just as fast as if you hand-pick
unreachable addressess, and I don't have to do anything but start my
program and walk away.

> | Sure you have.  If they use that same IP over and over again, you can 
> | spot a potential SYN flood from that particular host and refuse to accept 
> | any more SYN's from that host.  Contrary to what you may think, this can 
> | be done in user space with an ipfwadm-like tool; we just need the hooks 
> | in the kernel to allow policies to be changed on the fly.
> 
> 	This is why you will see many SYN floods with different source
> 	addresses in each wave of packets, or even better, in each
> 	packet.

And a great way to get different addresses in each packet?  Generate them
randomly!

You can drop the unreachable connects pretty fast by seeing (at least) if
they can be reversed in the DNS and dropping those which can't be.  Yes,
there are plenty of IP's which won't reverse.  But since we're in the
middle of a SYN flood, we don't really care too much about them.  We only
want to allow those hosts we KNOW are good during the flood, and when it's
over we can once again allow them all.

[REW: A reverse map will take up to several minutes. Most notably if
the hosts together with their DNS servers are unreachable. Moreover 
you can cause a packet explosion: you get the target to send more 
packets than you need to trigger that behaviour.]

It's not a perfect solution, but it is better than nothing and will work
until something better (e.g., IPv6 or routers which look for this kind of
thing) comes along.

shag

Judd Bourgeois   shagboy@bluesky.net
  Finger for PGP public key
There's a lost man with a bitter soul
For only a moment did life make him whole
And while he was, he thought he was invincible...
  Matthew Sweet, "Smog Moon"

home help back first fref pref prev next nref lref last post