Vulnerability Development mailing list archives
Re: DoS Local machines
From: barclay () INTEGRATEDLINUX COM (Barclay Osborn)
Date: Thu, 11 May 2000 05:26:35 -0700
(Haven't been following this thread too closely, apologies, but I did look up your original post) WRT icmp redirects; never tried. WRT killing network traffic, you can definitely kill network traffic w/ dnsiff tools: http://naughty.monkey.org/~dugsong/ If you're on the local lan, try arpredirect'ing the router/gateway once every 30 seconds, or just use macof if you want more noise (hiding the source of the detection response). Of course, you can also be more selective about it. You can also use tcpkill for total or selective session killing. Also, nmap -O is known to kill some stacks (and cause some k-panics). If you want more focused attacks, as in your original post, try using a combination of siphon/nmap/queso to id the remote OS, or just pull MACs or IPs off the wire, and dos the offender w/ a platform specific program from packetstorm, etc. You can also use you lids machines, or any existing firewalls/filters to dynamically adapt various rules - if you want your detection machines to be silent, connect the e-boxes to filters via VPNs or separate physical networks depending on physical proximity. You could even connect them via serial w/ [rx|tx] leads cut. You do have a problem, though: your attacker may not respond to icmp redirects - if you're assuming they may have control over the source machine in your network - so depending on the source OS to "do the right thing" isn't reliable. In which case you can't rely on stopping the network stack at the source machine (via this mechanism, although if you assume they have total control over their machines, this easily extrapolates to any attack on the host itself). ARP redirects aren't actually stopping the stack at the host, but at a waypoint, at which point the "routers/switches/hubs" argument (which I missed) may apply, be it the node dynamically configuring itself to cut traffic or an external redirect from an IDS. You could also cut dns for the host (if it has dns and you're using 'notify yes' for a quick response). But here the fundamental problem as I see it: You have various clusters of computers which you want to prevent from attcking each other (inter- AND intra- cluster attacks) so no perimeter security will be sufficent as it only addresses inter-cluster attacks. Since you can always divide clusters into smaller clusters (logically speaking, and in terms of the attacker's src-dst) until you get down to cluster_size=1. At that point, your perimeter security is the host itself, which you don't trust. So, it seems you have two choices WRT to your stated constraints: (Please correct me if I'm wrong) 1) Implement security at cluster connections (routers/switches/hubs), for focused dos (e.g., icmp redirect, acl alteration, etc). (for looped topologies this doesn't really apply, as they're effectively on an unmanaged hub). This would most like involve: a) utilizing built in partitioning feature of your interconnection points, and possibly overloading them, which is why I assume your have a 2500+ box wan but aren't using filtering capabililties) b) somehow contacting your interconnection point via existing protocols that were not designed to be partitioning protocols (more akin to joining) to silence a specific host. 2) Implement effectively unfocused dos, e.g., arp redirection. This would most likely involve: a) broadcasting data to multiple hosts (and/or interconnect points) to instruct them to 'ignore' or 'invalidate' data from the offending host. In case one, you're preventing the source host from contacting others, while in case two you're preventing others from contacting [responding] to the source of the attack. In a theoretical sense, it seems to me that silencing the bad host would be the superior solution, since the naughty host can still aggravate your networks even if none of your machines respond, and you wouldn't be affecting the good hosts (hopefully). Hope this helps to provide a framework for the problem. _B Barclay Osborn barclay () integratedlinux com Signior Programmer (Carumba!) barclay () simpleip com On Wed, 10 May 2000, Jason wrote:
Date: Wed, 10 May 2000 20:16:26 -0500 From: Jason <jottwell () OPENRECORDS ORG> To: VULN-DEV () SECURITYFOCUS COM Subject: Re: DoS Local machines This is a summary of what I've seen in response to my original message. Switches, hubs, and routers....switches hubs and routers, oh my! None of which answered my question. Does anyone have any experience in getting icmp.redirects to affect *nix boxen? All I'm looking for are possible attacks on a given host to stop network traffic. Hubs, Switches, and routers are not a viable resolution to this problem. As many of you know getting upper management to spend money on new hardware/software is a fight that takes time, and especially if they don't have a clue as to what an insecure network can do to the company. After thinking about spoofing an attack so that my piece of code would attack an innocent host, I came up with a frontend to an attack. There are three admins under me, If I give them a tool to allow them to only 'stop' attacking machines on the network, that this would be a viable solution. Anyone have links for these types of games to be played on machines in the network? icmp redirects, arp spoofing, tcp/ip stack crashes, etc. Jason
Current thread:
- Re: Networking theories, (continued)
- Re: Networking theories Bluefish (May 07)
- Re: Networking theories Aussie (May 07)
- Re: Networking theories Matthew R. Potter (May 07)
- Re: Networking theories J . Phillips (May 08)
- DoS Local machines Jason (May 07)
- Re: DoS Local machines Jonathan Williams (May 07)
- Re: DoS Local machines Seth R Arnold (May 07)
- Re: DoS Local machines Arturo Busleiman (May 10)
- Re: DoS Local machines TeeSPy (May 11)
- Re: DoS Local machines Jason (May 10)
- Re: DoS Local machines Barclay Osborn (May 11)
- Re: Networking theories Matthew R. Potter (May 07)
- Re: Networking theories Helmethead (May 07)
- Re: Networking theories Dragos Ruiu (May 07)
- Re: Networking theories Blue Boar (May 07)
- Re: Networking theories Dug Song (May 08)
- Automatic Retaliation contra DoS sigipp () WELLA COM BR (May 09)
- Re: Automatic Retaliation contra DoS Weston Pawlowski (May 17)
- Re: Automatic Retaliation contra DoS Michael H. Warfield (May 17)
- Re: Automatic Retaliation contra DoS Weston Pawlowski (May 17)
- Re: Automatic Retaliation contra DoS Michael H. Warfield (May 18)