[4934] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Tim Bass)
Wed Oct 2 18:10:10 1996
From: Tim Bass <bass@cactus.silkroad.com>
To: dvv@sprint.net (Dima Volodin)
Date: Wed, 2 Oct 1996 18:01:30 -0400 (EDT)
Cc: dvv@sprint.net, kwe@6SigmaNets.com, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <199610022151.RAA00565@mercury.int.sprintlink.net> from "Dima Volodin" at Oct 2, 96 05:51:34 pm
> Well, my understanding of your idea was that you proposed to detect SYN
> packets with unroutable src addresses before they hit the SYN_RCVD
> queue. The only way to deem them unroutable is to observe
> ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph
Yes, we are 'in SYN' on the approach.....
> just means that an SRC address might be a perfectly routable one without
> its being real - an unused address on an ethernet segment is enough for
> the attack. Or thousands of them for an untraceable attack.
Yes, this also works to our advantage, it seems. As long as
the destination (the source route) is UNREACHABLE, be the
address bogus like 0.0.0.4 or an unused IP address or
a machine that is off on the network, thereby being
UNREACHABLE; after some magic number of ICMP_UNREACHes
IP could block them with a system clock stamp and unblock
them after some other 'optimal deterministic' time.
Thanks for pointing out that the UNREACHABLE could just
be hosts that are turned off. The difficult case,
now that you mention it, are the UNREACHABLEs due
to a route flap or other intermediate system blip.
However, there may be some 'deterministic time'
or number of packets, etc. to set a metrics to
fine tune this.
Thanks for the feedback, BTW.
Best Regards,
Tim
