Re: SYN flood messages flooding my mailbox

[Curtis Villamizar <curtis () ans net>]

In message <199609161940.MAA00329 () quest quake net>, Vadim Antonov writes:
> Curtis Villamizar <curtis () ans net> wrote:
>
> > 2.  Filter based on source address on inbound packets from singly
> > homed sites.
>
> > A singly homed site cannot have assymetric routing since there is no
> > ohter path.
>
> The site does not have to be single-homed for filtering to be applicable.
>
> If you relax criteria for reverse-route filtering to "known route" instead
> of "best route" then any customer (non-transit) AS can be filtered safely
> at border routers.

And if the "known route" is know by another router but suppressed from
IBGP advertisement because there is a better route ..

Or if the "known route" goes through an AS that uses YOU as their best
route but the reverse traffic goes a different way..

Both of these cases and other cause a blackhole.

Of course, if by "known route" you mean known because it is in the
IRR, and the IRR is known to be reliable, then I accept your argument
but caution that the IRR is not always reliable, but this is yet
another reason to make it more reliable.

> As for traceability -- fat load of good it does to you if you discover
> that the hacker was smart enough to use an unprotected box somewhere in
> Taiwan or Brazil as a staging poing for attack.  I've had situations when
> i traced attacks to places like that and was anything but unable to
> explain local sysadmins what i wanted from them.  Simply because they don't
> speak English at all.  There are places where they simply don't have
> any laws in regard to computer crime, and no Interpol offices.  Any
> really malicious attacker with more than two neurons would be out of
> your reach, and unhindered.

We've had providers shut down sites because they were slow to address
hacking launched from their site.  In one case an NSFNET regional shut
down a large university because their CS department just said
"security is a hard problem" and refused to do anything.  After 4 days
of no Internet access they had things quite thoroughly cleaned up.
The hacker in this case may very well have been Mitnick because it
similar attacks were seen from Netcom and were those that hit SDSC and
both the Netcom and university attacks occurred about a month prior to
Mitnick getting caught.

> BTW, the enforcement of source address authenticity allows for automated
> SYN flooding attack defenses -- if your host sees a stream of SYNs at a
> rate more than X pps it simply starts to ignore the SYNs from
> that particular source!  (A simple algorithm would take care of roaming
> sources within some network -- you just sort SYNs by buckets of different
> sizes and shut down those which have SYN rate counts higher than
> some threshold).

Shutting down the source is a lot easier if you know the source.

> --vadim

Curtis
- - - - - - - - - - - - - - - - -