Security Incidents mailing list archives
Re: Arrowpoint CS-100 atack
From: Albert Saerong <asaerong () ASTAGASTAFF COM>
Date: Wed, 18 Oct 2000 10:44:48 +0700
Right, and as an addition, I suggest you to upgrade your AP software version. The latest version that I use is ap0310055s which has more improvement on handling DOS while maintaining a low cpu usage. Although they release the v4, but I haven't try it yet. One solution instead of adding another firewall (cheap or not it's still a cost) before the AP is to use the AP itself as a firewall. You can use the AP ACL to set that. And I also suggest you to play the config in the layer 5 or layer 7 by setting the 'service' and 'owner' to a specific port and protocol. So traffic can only go to allowable port and protocol in allowable services/owners. Thus limiting the attackers to play around. Another thing is to set your router to filter the traffic before it go to the AP. I usually set deny any any at the bottom of the route ACL, and before that open the ports and protocol of IPs that needed to open. Also add some anti spoofing and some blocking on big size ICMP. Anyway, I don't think that you really need to upgrade to CS-150 or even big mamma (CS-800) IF you still consider that all attackers traffic as part of the your traffic . Then you have to prepare some cash to buy multiple CS-800 ;-) If you implement my suggestions above, I'm sure that the traffic will be double filtered, first by the router, then by the arrowpoint. As an example of my implementation is I have one customer only uses 1 CS-100 with 2 different uplink and E220R 6 servers below, to handle 3 MBs of 'clean' traffic and almost a million pageviews a day, and its still works fine, unDOS-able, a low cpu usage (11%) since most of the attack has been filtered through the router and we play the services and owners on layer 5. If you find difficulties on getting the latest version of AP software, just email me. cheers, albert -----Original Message----- From: junior () SHIVA 6O4 NET To: INCIDENTS () SECURITYFOCUS COM Sent: 10/17/00 12:49 PM Subject: Re: Arrowpoint CS-100 atack Always when you see this kind of attack... take a few stats During the attack, look at the output from 'show dos' 'show dos sum' 'show mem' The above will show you the source of the attacks(spoofed), and memory usage. A reboot will bring things back to normal but once the CPU is peged again the same thing will happen. You can also enable various syslog levels to log the source's.. But these will all be almost all spoofed, rfc-1918 address. The arrowpoints are great in the fact that they help to prevent SYN,Illegal Src attacks, etc. Since unlike most loadbalacners, which will blindly loadbalance any attack(BigIP) or use some kind of Counters(Alteons), During a regular TCP handshake the Arrowpoint intercept the packet destin for loadbalanced machines, spoof the connection and sends a SYN ACK back to the source if the source does not answer back the connection is drop. This all takes alot of CPU, and if the attack is great it will overwelm the CPU as is in the case of what is happening to you right now.. YOU dont want to turn this feature off, you have more other important issue's to worry about here, since turning off these features the attack will be passed on to your machines, which will be hammered. You have some choices here, get a higher end arrowpoint.. CS-150?? If the load of traffic + attack will be too great for the 150, go 800, these are modular and can be very expensive but worth all the money. Since its modular it can grow as your network grows.. Put a firewall infront of the arrowpoint and have it deal with the attacks. A netscreen-100(www.netscreen.net) should work fine, its a hardware/firmware solution, and not expensive at all. my 2 cents. On Mon, Oct 16, 2000 at 02:39:05PM -0200, Thiago Madeira de Lima wrote:
Hello, I'm experiencing a very hard/strange atack. I run a service wich has the following arquiterute : 1 Arrowpoing CS-100 2 Cacheflows in one vip, wich is the website address (200.x.x.1) 1 Server in one vip. (200.x.x.2) This configurations works very fine, but someone is atacking the
ip
200.x.x.1 and then the arrowpoing starts saying that there's *MANY* 'Illegal Source
Atack', and
it starts to work very slow and kill all services. It stops packet
fowarding
to the servers and mark all serves as down. I'm receiving something about 15Mbits of this strange trafig.
And I couln't
verify what it is, because the arrowpoint does not foward those
packets to
the real server nor the cache. I looked at the Arrowpoint manual and there's nothing about how
to disable
the DOS filter, wich I think it could be an answer. Maybe the caches
or the
server could handle a little better with the problem. My problem right now is how to identify what atack is really
happening, and
then filter the atack someplace before the arrowpoint. Any tricks? Thanks alot Thiago
Current thread:
- Re: Arrowpoint CS-100 atack Duquette, John (Oct 19)
- <Possible follow-ups>
- Re: Arrowpoint CS-100 atack Albert Saerong (Oct 19)