Re: Denial of service

[Ted Doty <ted () iss net>]

At 06:46 PM 8/19/98 -0400, ICMan wrote:
> Ted Doty wrote:

[snip]

> > If your network positively has to be up for mission critical applications,
> > don't connect it to the Internet.

[snip]

> Denial of service attacks can, for the most part, be guarded against
> with good "perimeter security devices" (read: Firewalls) and good
> security practices.

Hmmm.  If BigStateU has a T3 internet connection, and they are vulnerable
to the smurf attack (a broadcast ping with a spoofed source address), and
if they use your internet router's IP address as the source address in the
smurf, it is very likely that your internet connection will be so jammed
with smurf traffic that nothing else will get through.  It is also possible
that your router will execute an HALT_AND_CATCH_FIRE operation, since a
number of these are optimized for *forwarding* packets, rather than
responding to them.

If you have a T3, then the attacker just needs to find 5 or 6 other
smurfable sites that have big, fat internet feeds.

It's not at all clear to me what a "good perimeter security device" can do
here, other than gasp out that it's under attack as it's kernel mbuff
allocation heads towards infinity.

> I think that your last assertion is a bit of overkill on the FUD.  What
> is "absolutely mission critical"?  Can I connect my network to the

Don't think it's FUD at all.  I work at a company that plausibly would sell
more stuff if you *could* really make the Internet safe for
mission-critical applications.

> Internet with a router "patched sufficiently to make [hacking]
> impossible" and then put my mission critical stuff on a private, secure
> WAN?  CERN in Geneva provides real-time data feeds from their
> accellerator lab at 10Mbps to certain research groups.  This is
> "absolutely mission critical", because the data in the stream has to be
> free from contamination.  However, I should still be able to connect my
> network to the Internet if I take sufficient precautions.

If someone at CERN can be fired because they use a delivery network that
can be taken down at whim by any script kiddie on the net, then it's not
mission-critical by any meaningful definition.  Not poking at CERN, just
defining my terms.

Applications that I *hope* are nowhere near the Internet include: air
traffic control, railroad scheduling and switching control, process control
systems running big chemical plants, [the list is nearly infinite].  This
is what all the "Information Warfare" guys use to get their big budgets.

> For example, I can have a really well locked down Firewall as my
> Internet gateway, and then also have a really tight Firewall in front of
> my research network.  I have to take very good care to configure the
> Firewalls and routers correctly, and I need to make damn sure that the
> latest security patches are applied, but if my Internet connection goes
> down because someone blew my ISP away, I care very little because the
> data feed that is my bread and butter is coming from a different source.

Then by definition you're not running mission critical applications over
the Internet.

- Ted

-----------------------------------------------------------------------
Ted Doty, Internet Security Systems          | Phone: +1 678 443-6000
6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
Atlanta, GA 30328  USA                       | Web: http://www.iss.net
-----------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE