[4933] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Dima Volodin)
Wed Oct 2 17:58:49 1996
To: bass@cactus.silkroad.com (Tim Bass)
Date: Wed, 2 Oct 1996 17:51:34 -0400 (EDT)
Cc: dvv@sprint.net, kwe@6SigmaNets.com, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <199610022141.RAA00258@cactus.silkroad.com> from "Tim Bass" at Oct 2, 96 05:41:29 pm
From: dvv@sprint.net (Dima Volodin)
Well, my understanding of your idea was that you proposed to detect SYN
packets with unroutable src addresses before they hit the SYN_RCVD
queue. The only way to deem them unroutable is to observe
ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph
just means that an SRC address might be a perfectly routable one without
its being real - an unused address on an ethernet segment is enough for
the attack. Or thousands of them for an untraceable attack.
Dima
Tim Bass writes:
>
> >
> > It will, except that a slight modification of the attack (using IP
> > addresses that _don't_ produce ICMP_UNREACH) will get us back to square
> > one.
> >
> > Anyway, filtering packets with SRC addresses known to generate
> > ICMP_UNREACH at the earliest possible stage might be a good idea.
>
> I understand paragraph two, but about paragraph 1....
>
> When I ran the TCP SYN attack using routable source addresses,
> before I patched my attack kernel to allow Spoofers, I
> literally beat-to-death a server on the same subnet and
> the attack has no effect.
>
> However, when I hacked the kernel to allow spoofed addresses,
> the attack was severe and immediate. So, from my tests,
> the attack is only sucessful when the bogus source address
> is UNREACHABLE (which is a defense in the non-random
> attack.
>
> For clarity, the attack only works when the IP source address
> is UNREACHABLE, this has been my observation here in the lab using
> an source address from my net (however I haven't confirmed this
> with a good source address in another domain but I will...)
>
>
>
> Tim
>
>
> >
> > > Tim
> >
> > Dima
> >
>
>
