ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Internet SYN Flooding, spoofing attacks

2000-02-11 14:20:03
from [Michael H. Warfield] [Permanent Link] 
On Fri, Feb 11, 2000 at 02:40:15PM -0500, Bernie Volz wrote:

Regarding the recent TCP SYN Flooding attacks, why aren't ALL ISPs
required to put filtering on their networks that PREVENTS packets with
invalid source addresses ever entering their infrastructure? If every
site connected to the Internet did this, spoofing would be much more
difficult because you couldn't do it. Sure, you could spoof an address
from YOUR network, but that's all. And guess what, it would be much
easier to track and thus to shut down the intrusions should they occur.


        Clue alert...

        The recent attacks were not TCP SYN Floods.

        Please check recent Bugtraq and Cert information regarding
Distributed DoS attacks.

        Further references:

http://xforce.iss.net/alerts/advise40.php3
http://www.cert.org/advisories/CA-2000-01.html
http://www.fbi.gov/nipc/trinoo.htm

        Detailed analysis of TFN (Tribe Flood Network), Trin00, and
Stacheldraht (Barbed Wire) are here:

http://staff.washington.edu/dittrich/misc/tfn.analysis
http://staff.washington.edu/dittrich/misc/trinoo.analysis
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

        Contrary to popular belief and the common press, TFN2K (Tribe
Flood Network 2000) also has Windows versions of the slave daemons
as well as Solaris and Linux versions.

        A lot of these attacks appeared to be SMURF style attacks and
TFN (Tribe Flood Network) and TFN2K have distributed smurf capabilities.

        This wasn't even close to being a TCP SYN flood.

        As far as spoofing goes, in their SMURF mode, the only spoofing
is the src_addr part of the ICMP echo that the slave systems send to
their LOCAL broadcast address.  That src_addr is the address of the
system being attacked by ICMP_ECHOREPLY packets that simply consume all
its bandwidth.  Check out the analysis.

        Anti spoofing entry filters would have been of zero effect.


Thus ever edge router should have filter lists that prevent it
forwarding traffic out to the Internet (ISPs network) any packet that
does not have a source address that is valid from that site.


        Would not have helped except maybe in some of the UDP attack
modes of the slaves.


I would hope that lots of ISPs already do this. But, perhaps not.



- Bernie Volz
  Process Software


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw(_at_)WittsEnd(_dot_)com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Internet SYN Flooding, spoofing attacks, John Stracke
Next by Date:  Re: IETF meeting wireless "standard", Matt Holdrege
Previous by Thread:  Re: Internet SYN Flooding, spoofing attacks, Mark Prior
Next by Thread:  Re: Internet SYN Flooding, spoofing attacks, Steven M. Bellovin
Indexes:  [Date] [Thread] [Top] [All Lists]