Re: Arrowpoint CS-100 atack

[Albert Saerong <asaerong () ASTAGASTAFF COM>]

Right, and as an addition, I suggest you to upgrade your AP software
version.
The latest version that I use is ap0310055s which has more improvement on
handling DOS
while maintaining a low cpu usage. Although they release the v4, but I
haven't try it yet.

One solution instead of adding another firewall (cheap or not it's still a
cost) before the AP
is to use the AP itself as a firewall. You can use the AP ACL to set that.
And I also suggest you to play the config in the layer 5 or layer 7 by
setting the 'service' and 'owner' to a
specific port and protocol. So traffic can only go to allowable port and
protocol in
allowable services/owners. Thus limiting the attackers to play around.

Another thing is to set your router to filter the traffic before it go to
the AP.
I usually set deny any any at the bottom of the route ACL, and before that
open the ports
and protocol of IPs that needed to open. Also add some anti spoofing and
some blocking on big size ICMP.

Anyway, I don't think that you really need to upgrade to CS-150 or even
big mamma (CS-800) IF you still consider that all attackers traffic as part
of the your traffic
. Then you have to prepare some cash to buy multiple CS-800 ;-)
If you implement my suggestions above, I'm sure that the traffic will be
double filtered,
first by the router, then by the arrowpoint. As an example of my
implementation is
I have one customer only uses 1 CS-100 with 2 different uplink and E220R 6
servers below,
to handle 3 MBs of 'clean' traffic and almost a million pageviews a day, and
its still works fine, unDOS-able, a low cpu usage (11%) since most of the
attack has been filtered through the router and we play the services and
owners on layer 5.

If you find difficulties on getting the latest version of AP software, just
email me.

cheers,
albert

-----Original Message-----
From: junior () SHIVA 6O4 NET
To: INCIDENTS () SECURITYFOCUS COM
Sent: 10/17/00 12:49 PM
Subject: Re: Arrowpoint CS-100 atack

Always when you see this kind of attack... take a few stats

During the attack, look at the output from
'show dos'
'show dos sum'
'show mem'

The above will show you the source of the attacks(spoofed), and memory
usage. A reboot will bring things back to normal but once the CPU is
peged
again the same thing will happen.
You can also enable various syslog levels to log the source's..
But these will all be almost all spoofed, rfc-1918 address.

The arrowpoints are great in the fact that they help to
prevent SYN,Illegal Src attacks, etc. Since unlike most
loadbalacners, which will blindly loadbalance any attack(BigIP)
or use some kind of Counters(Alteons), During a regular TCP
handshake the Arrowpoint intercept the packet destin for loadbalanced
machines, spoof the connection and sends a SYN ACK back to the source
if the source does not answer back the connection is drop. This all
takes
alot of CPU, and if the attack is great it will overwelm the CPU as is
in the case of what is happening to you right now.. YOU dont want to
turn this feature off, you have more other important issue's to worry
about here, since turning off these features the attack will be passed
on to your machines, which will be hammered.
You have some choices here, get a higher end arrowpoint.. CS-150??
If the load of traffic + attack will be too great for the 150, go 800,
these are modular and can be very expensive but worth all the money.
Since its modular it can grow as your network grows..

Put a firewall infront of the arrowpoint and have it deal with the
attacks.
A netscreen-100(www.netscreen.net) should work fine, its a
hardware/firmware
solution, and not expensive at all.

my 2 cents.

On Mon, Oct 16, 2000 at 02:39:05PM -0200, Thiago Madeira de Lima wrote:
>       Hello,
>
>       I'm experiencing a very hard/strange atack.
>
>       I run a service wich has the following arquiterute :
>
>       1 Arrowpoing CS-100
>       2 Cacheflows in one vip, wich is the website address (200.x.x.1)
>       1 Server in one vip. (200.x.x.2)
>
>       This configurations works very fine, but someone is atacking the
ip
> 200.x.x.1 and then
> the arrowpoing starts saying that there's *MANY* 'Illegal Source
Atack', and
> it starts to work very slow and kill all services. It stops packet
fowarding
> to the servers and mark all serves as down.
>
>       I'm receiving something about 15Mbits of this strange trafig.
And I couln't
> verify what it is, because the arrowpoint does not foward those
packets to
> the real server nor the cache.
>
>       I looked at the Arrowpoint manual and there's nothing about how
to disable
> the DOS filter, wich I think it could be an answer. Maybe the caches
or the
> server could handle a little better with the problem.
>
>       My problem right now is how to identify what atack is really
happening, and
> then filter the atack someplace before the arrowpoint.
>
>       Any tricks?
>
>       Thanks alot
>       Thiago