nanog mailing list archives
Re: New Denial of Service Attack on Panix
From: dvv () sprint net (Dima Volodin)
Date: Wed, 2 Oct 1996 17:51:34 -0400 (EDT)
Well, my understanding of your idea was that you proposed to detect SYN packets with unroutable src addresses before they hit the SYN_RCVD queue. The only way to deem them unroutable is to observe ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph just means that an SRC address might be a perfectly routable one without its being real - an unused address on an ethernet segment is enough for the attack. Or thousands of them for an untraceable attack. Dima Tim Bass writes:
It will, except that a slight modification of the attack (using IP addresses that _don't_ produce ICMP_UNREACH) will get us back to square one. Anyway, filtering packets with SRC addresses known to generate ICMP_UNREACH at the earliest possible stage might be a good idea.I understand paragraph two, but about paragraph 1.... When I ran the TCP SYN attack using routable source addresses, before I patched my attack kernel to allow Spoofers, I literally beat-to-death a server on the same subnet and the attack has no effect. However, when I hacked the kernel to allow spoofed addresses, the attack was severe and immediate. So, from my tests, the attack is only sucessful when the bogus source address is UNREACHABLE (which is a defense in the non-random attack. For clarity, the attack only works when the IP source address is UNREACHABLE, this has been my observation here in the lab using an source address from my net (however I haven't confirmed this with a good source address in another domain but I will...) TimTimDima
- - - - - - - - - - - - - - - - -
Current thread:
- Re: New Denial of Service Attack on Panix Tim Bass (Oct 02)
- Re: New Denial of Service Attack on Panix Tim Bass (Oct 02)
- Re: New Denial of Service Attack on Panix Dima Volodin (Oct 02)
- Re: New Denial of Service Attack on Panix Tim Bass (Oct 02)
- Re: New Denial of Service Attack on Panix Dima Volodin (Oct 02)
- Re: New Denial of Service Attack on Panix Tim Bass (Oct 02)
- Re: New Denial of Service Attack on Panix Dima Volodin (Oct 02)
- Uh...excuse me...? Carl Payne (Oct 02)
- Re: New Denial of Service Attack on Panix Tim Bass (Oct 02)
- Re: New Denial of Service Attack on Panix Tim Bass (Oct 02)
- Re: New Denial of Service Attack on Panix\ Avi Freedman (Oct 02)
- Re: New Denial of Service Attack on Panix\ Tim Bass (Oct 03)
- Re: New Denial of Service Attack on Panix\ Tim Bass (Oct 03)
- Re: New Denial of Service Attack on Panix\ Matt Zimmerman (Oct 03)
- Re: DoS, ICMP, proxies, SYNDefender Tim Bass (Oct 03)
- Re: DoS, ICMP, proxies, SYNDefender Perry E. Metzger (Oct 03)