[4431] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (David J. Schmidt)
Mon Sep 16 21:55:15 1996
Date: Mon, 16 Sep 96 18:41:27 -0700 (PDT)
From: "David J. Schmidt" <davids@on-ramp.ior.com>
To: kwe@6SigmaNets.com
CC: nanog@merit.edu, iepg@iepg.org
In-reply-to: <2.2.32.19960916231414.00720830@mail.cts.com>
(kwe@6SigmaNets.com)
Date: Mon, 16 Sep 1996 16:14:14 -0700
From: "Kent W. England" <kwe@6SigmaNets.com>
Sender: owner-nanog@merit.edu
Dear NANOG/IEPG Folks;
As you should know by now from reading the papers, Panix, the first
ISP in NYC, has come under a new denial of service attack. The Wall
Street Journal quoted Bill Cheswick to the effect that the attack
is "unstoppable". Almost, but not quite, true.
Not only is it difficult to stop, but difficult to trace since it
requires the *immediate* cooperation of all intervening providers.
It's true that there isn't anything that Panix can do on its own to
stop this attack. It's true that it would be hard to verify source
addresses at MAEs and NAPs. But we could all verify source
addresses at the first hop entry points. And get default route and
unauthorized transit protection to boot.
I'd like to know what the community thinks can be done to deal with
an escalation of these attacks should this occur. Are you doing any
source address verification now? Are you doing anything to help
Panix? Could you?
We just put in source address filters. Being a single homed site with
only 3 CIDR blocks made that quick and easy. I think we need to make
it as easy as possible for ISP's with little technical knowledge to do
the same.
Has someone come up with instructions on how to do source address
filtering/verification for different brands of routers? It would be
good if someone could put up a web page with complete instructions on
how to do this. If this could be done quick enough we could possibly
get the URL some publicity due to the current Panix attack.
Another item that may be usefull would be a list of providers that do
perform source address verification. Is there an easy way to verify
from an outside host that the filtering is being done? Without
verification we couldn't trust the list of sites that claim to filter.
Operating system changes may also minimize the impact of this type of
attack and those changes should be encouraged. Changes like an
adaptive SYN timout along with more dynamic table allocation.
How seriously do you take this threat? If Panix were to go out of
business and Bob Metcalfe wrote a column on it, ( :-) do you think
we would have to deal with it together then, or can we sit tight
and expect it to blow over? After all, it's easy to dump chemicals
in the reservoir, but we still drink the water, right?
How likely is Panix to go under from this? Admittedly incomming
connections are seriously effected, but if Panix were to filter out
incoming SYN's at their entry points could their customers still do
outbound browsing? They could open and close the door periodically to
try and receive incoming e-mail or move MX records around to get mail
in.
Their Web customers would seem to be the most heavily effected as
their pages can't be seen.
Bottom line, exactly how is this attack effecting Panix servers and
what are they able to do to at least operate in a degraded fashion
during these attacks? What could *I* do if my site were attacked?
Thanks.
--Kent
~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~
Kent W. England Six Sigma Networks
1655 Landquist Drive, Suite 100 Voice/Fax: 619.632.8400
Encinitas, CA 92024 kwe@6SigmaNets.com
Experienced Internet Consulting ~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~~ ~~~~
--
David.Schmidt@on-ramp.ior.com Internet On-Ramp, Inc. (509)624-RAMP (7267)
Spokane, Washington http://www.ior.com/ (509)323-0116 (fax)
