ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Internet SYN Flooding, spoofing attacks

2000-02-23 19:30:02
from [Vernon Schryver] [Permanent Link] 
      Source-routed packets from untrusted hosts, as many of us know, have to
be dropped/ignored. I do not know if there is another kind of attack
regarding the forging of IP headers, as I didn't study ( :( ) the TCP/IP
RFCs.


Actually, those who understand the security problem of IP source routes
knows something else.  IP source route options are not problems except to
broken hosts.  It would be nice to think there are no longer such broken
hosts on the net, but that is too much to expect.  In a reasonable world,
we would expect anyone who cannot install non-broken software on their
hosts to install filters against IP source routes where they will do the
least damage, close to the broken hosts.

However, in this world, the news about the irredeemable evil of all ICMP
packets will join year-old news about the utter evil and uselessness of
IP source routes and IEEE 802.3 collisions.  We'll be hearing about all
three for the next 50 years.  (From my poking around, it appears that more
than half of the Internet is now filtering all ICMP TTL-Exceeded, so the
damage done to `traceroute -g`, `ping -R`, and other things by filtering
IP source routes does not matter.)



      As attacks can come from much different sources, if a backbone can at
least log, if not ignore, strangely high traffic from a unique site (but
it cannot, again, prevent DDoS), we should at least diminish the risks
of suffering an attack.


Assuming there is an algorithmic definition of "strangely high
traffic from a unique site", how would a backbone and so Terabit/sec
router log anything about it?  Is it easy to define, detect, and
record state for streams if they are strangely high, and the reports
about the difficulties of maintaining state for "multimedia" and
similar buzzword streams do not apply?


Judging from their volume, the world needs a lot more documents about
network or computer security that are more repetitions of trade rag rumors
and security vendor marketing wishes than facts.  However, there's no
reason for the IETF to compete with the current publishers of such works.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Internet SYN Flooding, spoofing attacks, Jean Paul Sartre
Next by Date:  Clarification of IP Storage announcement, Costa Sapuntzakis
Previous by Thread:  Re: Internet SYN Flooding, spoofing attacks, Jon Crowcroft
Next by Thread:  Re: Internet SYN Flooding, spoofing attacks, Jean Paul Sartre
Indexes:  [Date] [Thread] [Top] [All Lists]