[4439] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Tim Bass)
Mon Sep 16 23:45:38 1996
From: Tim Bass <bass@cactus.silkroad.com>
To: c-huegen@quad.quadrunner.com (Craig A. Huegen)
Date: Mon, 16 Sep 1996 23:39:26 -0400 (EDT)
Cc: kwe@6SigmaNets.com, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <Pine.QUAD.3.94.960916182425.296A-100000@quad.quadrunner.com> from "Craig A. Huegen" at Sep 16, 96 06:32:34 pm
Craig:
> 2,000 PPS:
>
> 182.58.239.2.1526 -> 172.30.15.5.80 TCP SYN
> 19.23.212.4.10294 -> 172.30.15.5.80 TCP SYN
> 93.29.233.68.4355 -> 172.30.15.5.80 TCP SYN
> [... on and on ...]
>
> Tell me how to filter this.
Okay, the way this *might* be filtered involves a couple of steps:
(1) Set up logging (as you have done) dump the data saving the
IP addresses (with port numbers); then
(2) Using documented stochastic methods, look for the hidden
pattern in the pseudo-random sequences. There are computer
programs to do this, sorry, I would have to do a search to
find one (the exist, however);
Note: The sequence above is too short to determine any
pseudo-random pattern (of course). But keep in mind, all computer
generated 'random number' sequences are not truly random and there
are generally determinate. Also, if a file is being used as a
basic for the attack, perhaps it repeats itself (this is the
easy case, not-likely ;)
(3) Given it is possible to break the code, hack together some
telnet 'update the router access-lists' based on the predictive
algorithm. (another chapter, yet to be documented)
However, George is right in his conjecture that the problem becomes
more difficult when you consider that there is 'good traffic'
as well. Hence, the problem becomes a signal processing
exercise of determining the signal (the good source addresess)
from the noise (the bad source addresses).
Admittedly, it is difficult (but hey, you ISPs wanted to get into
the business and make the big bucks, so deal with it, and put
those big profits to use, like all the other telecom folks
have to do to protect their services :-)
ANYWAY, this type of counter-measure is not easily done, and I'm
not sure that discussing the details in public is a good idea.
I have already been called 'irresponsible' in private for discussing
this technique.
BTW, do all the attacks have the same port and destination?
Thanks,
Tim
