Re: DoS Local machines

[barclay () INTEGRATEDLINUX COM (Barclay Osborn)]

(Haven't been following this thread too closely, apologies, but I did look
up your original post)

WRT icmp redirects; never tried. WRT killing network traffic, you can
definitely kill network traffic w/ dnsiff tools:
http://naughty.monkey.org/~dugsong/
If you're on the local lan, try arpredirect'ing the router/gateway once
every 30 seconds, or just use macof if you want more noise (hiding the
source of the detection response). Of course, you can also be more
selective about it.  You can also use tcpkill for total or selective
session killing. Also, nmap -O is known to kill some stacks (and cause
some k-panics).

If you want more focused attacks, as in your original post, try using a
combination of siphon/nmap/queso to id the remote OS, or just pull MACs or
IPs off the wire, and dos the offender w/ a platform specific program from
packetstorm, etc.  You can also use you lids machines, or any existing
firewalls/filters to dynamically adapt various rules - if you want your
detection machines to be silent, connect the e-boxes to filters via VPNs
or separate physical networks depending on physical proximity.  You could
even connect them via serial w/ [rx|tx] leads cut.

You do have a problem, though: your attacker may not respond to icmp
redirects - if you're assuming they may have control over the source
machine in your network - so depending on the source OS to "do the
right thing" isn't reliable. In which case you can't rely on stopping the
network stack at the source machine (via this mechanism, although if you
assume they have total control over their machines, this easily
extrapolates to any attack on the host itself). ARP redirects aren't
actually stopping the stack at the host, but at a waypoint, at which point
the "routers/switches/hubs" argument (which I missed) may apply, be it the
node dynamically configuring itself to cut traffic or an external redirect
from an IDS.  You could also cut dns for the host (if it has dns and
you're using 'notify yes' for a quick response).

But here the fundamental problem as I see it:  You have various clusters
of computers which you want to prevent from attcking each other (inter-
AND intra- cluster attacks) so no perimeter security will be sufficent as
it only addresses inter-cluster attacks.  Since you can always divide
clusters into smaller clusters (logically speaking, and in terms of the
attacker's src-dst) until you get down to cluster_size=1.  At that point,
your perimeter security is the host itself, which you don't trust.  So,
it seems you have two choices WRT to  your stated constraints:
(Please correct me if I'm wrong)
1) Implement security at cluster connections (routers/switches/hubs), for
focused dos (e.g., icmp redirect, acl alteration, etc).  (for looped
topologies this doesn't really apply, as they're effectively on an
unmanaged hub).  This would most like involve:
  a) utilizing built in partitioning feature of your interconnection
points, and possibly overloading them, which is why I assume your have a
2500+ box wan but aren't using filtering capabililties)
  b) somehow contacting your interconnection point via existing protocols
that were not designed to be partitioning protocols (more akin to joining)
to silence a specific host.
2) Implement effectively unfocused dos, e.g., arp redirection.  This would
most likely involve:
  a) broadcasting data to multiple hosts (and/or interconnect points) to
instruct them to 'ignore' or 'invalidate' data from the offending host.

In case one, you're preventing the source host from contacting others,
while in case two you're preventing others from contacting [responding] to
the source of the attack.  In a theoretical sense, it seems to me that
silencing the bad host would be the superior solution, since the naughty
host can still aggravate your networks even if none of your machines
respond, and you wouldn't be affecting the good hosts (hopefully).

Hope this helps to provide a framework for the problem.

_B

Barclay Osborn              barclay () integratedlinux com
Signior Programmer (Carumba!)      barclay () simpleip com

On Wed, 10 May 2000, Jason wrote:

> Date: Wed, 10 May 2000 20:16:26 -0500
> From: Jason <jottwell () OPENRECORDS ORG>
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: DoS Local machines
>
> This is a summary of what I've seen in response to my original message.
> Switches, hubs, and routers....switches hubs and routers, oh my!
>
> None of which answered my question.
>
> Does anyone have any experience in getting icmp.redirects to affect *nix
> boxen?
>
> All I'm looking for are possible attacks on a given host to stop network
> traffic.  Hubs, Switches, and routers are not a viable resolution to this
> problem.  As many of you know getting upper management to spend money on
> new hardware/software is a fight that takes time, and especially if they
> don't have a clue as to what an insecure network can do to the company.
> After thinking about spoofing an attack so that my piece of code would
> attack an innocent host, I came up with a frontend to an attack.  There
> are three admins under me, If I give them a tool to allow them to only
> 'stop' attacking machines on the network, that this would be a viable
> solution.  Anyone have links for these types of games to be played on
> machines in the network?  icmp redirects, arp spoofing, tcp/ip stack
> crashes, etc.
>
> Jason