[4413] in North American Network Operators' Group
SYN flood messages flooding my mailbox
daemon@ATHENA.MIT.EDU (Curtis Villamizar)
Mon Sep 16 11:45:07 1996
To: nanog@merit.edu
cc: curtis@ans.net
Reply-To: curtis@ans.net
Date: Mon, 16 Sep 1996 11:30:35 -0400
From: Curtis Villamizar <curtis@ans.net>
Wrt- SYN Flooding
I'm going to try to consolidate some of these threads.
There have been three areas in which defense of SYN flooding has been
suggested (maybe more, three that will help):
1. Make the host less susseptible
2. Filter based on source address on inbound packets from singly
homed sites.
3. Improve the ability to trace such attacks back to source
I'll argue that all three of these are needed since none of them alone
can completely solve the problem. Here are some details recapping
discussions on the list (sorry for not giving credit, lots of people
contributed ideas).
1. Make the host less susseptible [teach engineers to spell?]
Specific code fragments were given for BSD and Solaris. BSDI is
already in very good shape with recent kernel patch (that preceeded
the attacks and was intended to improve HTTP server performance).
The comment was made "what about NT". My answer is let Microsoft
field that question.
At issue is whether a stream of TCP SYNs can swamp a host TCP
implementation. This is a denial of service exposure that has gone
unaddressed in host implementations until recently. BSD now uses a
hash table on the TCP PCBs (protocol control blocks in the kernel) and
with change of removal of the check can support close to 64K-2000 PCBs
(until TCP port numbers are exhausted). At a 75 second hold time,
this is well under 1kpps (rapid reuse of port numbers has other
problems). Some advantage is gained by the fact that SYN ACKs will be
sent and legitimate hosts will respond with RST, clearing the port
number for reuse.
There was also a suggestion of a server to prescreen TCP SYNs. I
don't think that is needed.
With the host changes, hosts are not invincible but it requires
nearly 1 kpps sustained to do damage. Reducing the hold time below 75
seconds (which is on the long side), makes the traffic rates required
for a denial of service even higher. What this does is forces the
attacker to use relatively long, high pps bursts, which are much more
easily traced if providers are prepared to do the tracing (see 3.).
2. Filter based on source address on inbound packets from singly
homed sites.
A singly homed site cannot have assymetric routing since there is no
ohter path. All that is needed is for the router to look up the
source address in the forwarding table and if the route does not point
to the interface the packet came in on, dispose of the packet. This
would mean that even a singly homed university could not become the
source of SYN attacks unless the hacker was willing to use source
addresses in the range of the addresses of the university. This would
make tracing back to the source very easy.
3. Improve the ability to trace such attacks back to source
Here is where either router vendors have to take action or providers
need to put Unix hosts on their FDDI rings and ethernets to do gather
data. The NSS routers did statistical sampling based on a sampling of
one in 50 packet headers. If a hacker must send upwards of 60,000
packets for an attack to be effective, even a sampling of 1 in 1,000
would be effective. The NSS was unique as routers go in that a
general purpose computer was part of the package. The specialized
code in the forwarding path sampled 1 in 50 headers and packed them
into a large packet, which when full was sent to the Unix kernel.
This reduced the rate of sampling packets to the kernel to a rate that
could be easily handled (we could do 1 to 1 sampling in bursts with
heavy load on the CPU, 1 in 50 continuous with very little load).
What we have suggested to our router vendors is the following: in the
forwarding path allow an option to take 1 in N packets (where N could
be anything but is expected to be in the range of 50-1000) and pack
the first H bytes of the packet plus timestamp into a buffer. Send
the buffer out a designated interface when the buffer reaches a
configured size (usually the MTU of the interface) to some configured
addess.
The normal use of this would be to send packets out a dedicated
ethernet interface to a network management machine within the POP,
though the same information could also be sent remotely if it was
being used to monitor attacks. The advantage of a network management
machine (which we happen to already have for other purposes like SNMP
proxy agents for things that don't do SNMP and secure access for
things that don't have a means of secure access), is that it has a
disk and can quite easily store hours of samples. If an incident is
reported and the end site has a traffic archive with address and port
number pairs, a snapshot of the prior few hours is taken and the
source is identified. If all major providers did this, a SYN attack
reported within a few hours would be traceable.
---> Michael Dillon writes:
> Now here is something that could be used by sites to protect against SYN
> flood attacke assuming that they can build a special custom box with
> enough RAM to buffer the sockets for 30 seconds or more. How high a rate
> can SYN floods come in at? I've heard of 1,000 per sec which implies that
> this box needs to hold open 30,000 to 75,000 potential sockets. Is there
> any problem within IPv4 (seq #'s?) that would make this inherently
> impossible?
Yep. Increasing the number of packets required for an effective
attack makes it more difficult to launch an attack that is not easily
traced.
---> Roderick Murchison, Jr. writes:
> Ok. say you have a firewall between your network and you Internet
> connection. If that firewall could detect and *detain* a segment with the
> SYN option set, then see if the set source IP answers an ICMP echo
> request, we could effectively determine whether or not the SYN could be
> dropped at the firewall and not sent through to spam our hosts. If the
> source responds, release the SYN and let it pass through to the intended
> host. If it does not, trash the SYN and log the failure.
ICMP is a bad choice (already pointed out on the list). I don't think
this is needed if the host implementations are fixed. It would be
quite easy to send 60,000 different source addresses, which would make
your solution worsen the problem. Better to just have the host send
the SYN ACK, let it either blacxkhole (no such destination) or return
a RST (a real host was found).
---> Dima Volodin writes:
> Apart from the obvious sexism :-) of the message let me point out that
> there are some other tricks one can play with DNS, e.g. throwing in
> any addresses for some other's servers in additional records in your DNS
> reponces. We are hit by this DNS/named deficiency _every freaking day_.
You need to update to a newer version of BIND. This has been fixed.
---> Jim Forster writes:
> > Again, the rule is "dont accept packets from an interface if there's no
> > route for their source addresses pointing back to the same interface".
> > Note that that route does not have to be the best one -- just that the
> > router gets it from somewhere.
>
> Without discussing it with the right folks here ahead of time, I suspect we
> could do this at good speed in some, but not all routers, in our product
> line. The solution I have in mind would not be suitable for some places in
> the net. We'd put the extra checks in the slow path which Curtis hates so
> much, and then use our 'flow-switching' cache, which is keyed by src/dest
> adresses & ports. So packets which fail the source address scrutiny in the
> slow path aren't put in the flow-switching cache. I can't recall if we
> cache negatives there, but in any event apparently the attacks involve SYN
> flows on the order of 100's of PPS, which might go through the slow path
> OK. BTW, I believe the criterion Vadim suggest is similar to that used in
> RPF Multicast flooding.
>
> Now the big question: is this useful in routers carrying a default route?
I have to highly commend Jim and Cisco for their quick response and
willingness to help address the problem. I must say that this is a
typical very helpful response from Cisco.
What I am asking for ("we" if there is agreement) is the following.
1. Create an option to look up the source address in the forwarding
table. If the forwarding entry for the source address does not point
to the interface from which the packet came, drop the packet. Enable
this by default. Allow it to be shut off on a per interface basis.
This is most important on end system routers so if it cannot be made
to run on some routers with hardware assist without overly impacting
the forwarding path speed, then that's OK.
2. Create an option to pack 1 in N packet into ... (what I have
written above as #3). It would be real handy if this could be done on
all routers, including those with hardware assist. This would mean
that any Cisco based ISP could very easily trace the source of SYN
attack to their own border and there would be no excuse not to.
[We've also asked for this feature for a number of other reasons
having to do with network capacity planning and statistical studies.]
Best Regards to all that are contributing to solving this problem,
Curtis