Re: syn attack and source routing

[Vadim Antonov <avg () quake net>]

Alexis Rosen <alexis () panix com> wrote:

> > Or better yet, the ICMP TRACEROUTE message, which would go
> > hop by hop and on every hop generates a response message.
> > Augmented with PROXY TRACEROUTE which will cause the destination
> > box to send out the ICMP TRACEROUTE.

> I'm very surprised that noone has mentioned what seems to me to be the
> *really* serious drawback to this scheme. Remember how much grief you had
> the last time someone did a news sendsys forged to your name? (If it's
> never happened to you, be glad...) This sort of attack got so bad that
> the default setup these days is to ignore sendsys.

Yes, indeed a single traceroute packet with forged address can generate
many responses.  However, there is at least one technique to eliminate
its usefulness as an attack weapon -- namely source address filtering
(which is going to be implemented anyway, sooner or later; there are
other types of attacks).

Another way is to have ICMP TRACEROUTE to return one packet with all
information _and_ the IP address of the next hop router (i.e. replace
recursive behaviour with iterative) .  It is still more useful than
UDP kludge; and it will still work in case of load-sharing.

Actually, the "multiplication" type of flooding attacks is nothing
new, but they are more easily done on application level.  For example,
connecting to different SNMP speakers and causing them to send a long
error reply to the target address.  Or subscribing victim to many many
mailing lists (including USENET gateways, urgh!).  Or using MBONE
feeds creatively.

--vadim
- - - - - - - - - - - - - - - - -