Re: New Denial of Service Attack on Panix

[dvv () sprint net (Dima Volodin)]

Well, my understanding of your idea was that you proposed to detect SYN
packets with unroutable src addresses before they hit the SYN_RCVD
queue. The only way to deem them unroutable is to observe
ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph
just means that an SRC address might be a perfectly routable one without
its being real - an unused address on an ethernet segment is enough for
the attack. Or thousands of them for an untraceable attack.


Dima

Tim Bass writes:
> > It will, except that a slight modification of the attack (using IP
> > addresses that _don't_ produce ICMP_UNREACH) will get us back to square
> > one.
> >
> > Anyway, filtering packets with SRC addresses known to generate
> > ICMP_UNREACH at the earliest possible stage might be a good idea.
>
> I understand paragraph two, but about paragraph 1....
>
> When I ran the TCP SYN attack using routable source addresses,
> before I patched my attack kernel to allow Spoofers, I
> literally beat-to-death a server on the same subnet and
> the attack has no effect.  
>
> However, when I hacked the kernel to allow spoofed addresses,
> the attack was severe and immediate.  So, from my tests,
> the attack is only sucessful when the bogus source address
> is UNREACHABLE (which is a defense in the non-random
> attack.
>
> For clarity, the attack only works when the IP source address
> is UNREACHABLE, this has been my observation here in the lab using
> an source address from my net (however I haven't confirmed this
> with a good source address in another domain but I will...)
>
>
>
> Tim
>
>
> > > Tim
> >
> > Dima

- - - - - - - - - - - - - - - - -