[26849] in North American Network Operators' Group
Re: New form of packet attack named Stream
daemon@ATHENA.MIT.EDU (Damon M. Conway)
Fri Jan 21 15:27:27 2000
Message-Id: <200001212020.OAA04870@chiba.3jane.net>
To: Pat Myrto <pat@rwing.ORG>
Cc: alex@virgin.relcom.eu.net (Alex P. Rudnev), nanog@merit.edu
In-reply-to: <200001211927.LAA16526@rwing.ORG>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <4867.948486039.1@chiba.3jane.net>
Date: Fri, 21 Jan 2000 14:20:39 -0600
From: "Damon M. Conway" <damon@chiba.3jane.net>
Errors-To: owner-nanog-outgoing@merit.edu
Pat Myrto wrote:
>
>Alex P. Rudnev has declared that:
>>
>>
>> > > e-mail me asking for the code.
>> >
>> > Actually, you provided enough details, so any unix guy who knows
>> > his sockets can write the program in fifteen minutes.
>> >
>> > This type of attack was known for a long time (and there are even
>> > nastier variations using TCP header bits and fragments), and, unfortunately,
>> > there's no good defense against it.
>> There is one base rule - you (OS) MUST limit resources (CPU, MEMORY, buffers,
>> sockets, etc) catched by any SINGLE origin (IP address, program, service).
>>
>> Such approach broke just any except a few DoS attacks - for example, if you try
>> to exhaust memory attaking single service, then (1) service can't catch all
>> memory because it's the SINGLE origin, and (2) one SRC address can't catch many
>> resources because it's SINGLE origin, and (3) you can't generate too many
>> different addresses in case of reverse-filtering.
>
>Any ideas/suggestions to hacks to kernel, etc (i.e., freebsd, linux, etc)
>to impose such limits (configurable by admin, preferably)? Especially
>in the CPU usage and memory areas (perhaps sockets/handles, too).
from freebsd-current yesterday:
Subject: half-fix for stream.c
http://www.freebsd.org/~alfred/tcp_fix.diff
damon
