Vulnerability Development mailing list archives

Re: Networking theories

From: 11a () GMX NET (Bluefish)
Date: Sun, 7 May 2000 20:13:36 +0200


I recieved a request for the email I had in mind as a private email. I
figgured it might be usefull readings for several others as well.

The email I hand in mind was from CIAC (not CERT, typo):
http://www.ciac.org/ciac/bulletins/k-032.shtml

Related / similar pappers found with altavista:
http://www.royans.net/insync/ddos/bugtraq_ddos1.shtml
http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt
http://www.cisco.com/warp/public/707/newsflash.html
http://www.sans.org/y2k/egress.htm

(the CIAC paper is the best, IMHO)

None of these papers actually describes how to protect against the attack
mentioned in the original mail, but the attack wouldn't be possible if all
mayor ISPs used EGRESS filtering. The papers does neither have a solution
against any DDoS which sends correct, unspoofed packets.

Additionally, Linux firewalls/routers could be setup to maximum anti-spoof
security using:
  if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
   echo -n "FIREWALL: Enabling kernel IP spoofing protection... "
   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
             echo "2" > $f
   done
   echo "done."
  fi

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Any idea on where to obtain a copy of this email? Im not exactly a large
ISP, but I do deal with a few large networking situations.

----- Original Message -----
From: "Bluefish" <11a () GMX NET>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Friday, May 05, 2000 5:06 PM
Subject: Re: [VULN-DEV] Networking theories

victim.org(spoofed) ---> ICMP(source-quench) --->
router.victim.org


Actually, there was a email from... cert (I think) ... intended for larger
companies and ISPs with guidelines for combating DDoS. Among those
guidelines there was recommendations of checking source IP. So it's a
known problem which responsible ISPs will stop (but probably most doesn't)

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Current thread:

Re: Networking theories, (continued)
- Re: Networking theories Matthew King (May 05)
  - Egress checking (was Re: Networking theories) Dick St.Peters (May 05)
  - The Million Dollar Solution Matthew Harmon (May 05)
    - Re: The Million Dollar Solution Ron DuFresne (May 05)
    - Re: The Million Dollar Solution Rob Perry (May 06)
    - Re: The Million Dollar Solution Jeremy Speer (May 06)
    - Very Technical info about The VIRUS repair...but well laid out Robert Riebs (May 06)
    - Administrivia #8704 (I think we should just be friends) Blue Boar (May 06)
    - Re: The Million Dollar Solution (NOT?) Nohican (May 06)
- Re: Networking theories Matthew King (May 06)
- Re: Networking theories Bluefish (May 07)
- Re: Networking theories Aussie (May 07)
  - Re: Networking theories Matthew R. Potter (May 07)
    - Re: Networking theories J . Phillips (May 08)
  - DoS Local machines Jason (May 07)
    - Re: DoS Local machines Jonathan Williams (May 07)
    - Re: DoS Local machines Seth R Arnold (May 07)
    - Re: DoS Local machines Arturo Busleiman (May 10)
    - Re: DoS Local machines TeeSPy (May 11)
    - Re: DoS Local machines Jason (May 10)
    - Re: DoS Local machines Barclay Osborn (May 11)

(Thread continues...)