North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: New form of packet attack named Stream
- From: Pat Myrto
- Date: Fri Jan 21 16:14:01 2000
Alex P. Rudnev has declared that:
> > > e-mail me asking for the code.
> > Actually, you provided enough details, so any unix guy who knows
> > his sockets can write the program in fifteen minutes.
> > This type of attack was known for a long time (and there are even
> > nastier variations using TCP header bits and fragments), and, unfortunately,
> > there's no good defense against it.
> There is one base rule - you (OS) MUST limit resources (CPU, MEMORY, buffers,
> sockets, etc) catched by any SINGLE origin (IP address, program, service).
> Such approach broke just any except a few DoS attacks - for example, if you try
> to exhaust memory attaking single service, then (1) service can't catch all
> memory because it's the SINGLE origin, and (2) one SRC address can't catch many
> resources because it's SINGLE origin, and (3) you can't generate too many
> different addresses in case of reverse-filtering.
Any ideas/suggestions to hacks to kernel, etc (i.e., freebsd, linux, etc)
to impose such limits (configurable by admin, preferably)? Especially
in the CPU usage and memory areas (perhaps sockets/handles, too).
One can limit handles, memory, etc for a given user process, but I havent
seen any such ability that would affect the TCP stack directly (the load
of many of these attacks does not launch or run user-mode code - just
eats up all the CPU and/or memory).
This idea sounds like one of the potentially more viable approaches. While
this would not solve issues of saturating upstream links that cant handle
volume, it WOULD help a lot to enable targeted machines/servers to weather
Routers - thats something the vendors should think about looking into.
> > > The core routers areindeed vulnerable; is there any router
> which > has an access list for restricting packet flow to the routing processor?
> > (My knowledge of latest-and-greatest features from OFRV is somewhat outdated).
> > A toyed with the idea of reverse-path verification coupled with
> > some kind of super-squelch message; but so far all such schemes have
> > holes in them. DoS attacks are a real scourge.
> > --vadim
> Aleksei Roudnev,
> (+1 415) 585-3489 /San Francisco CA/
#include <std.disclaimer.h> Pat Myrto (pat at rwing dot ORG) Seattle WA
How government differs from every other agency in society: The others
persuade; government compels. Government is the only entity where the use
of force - including deadly force - to achieve an end is OK. This is why
govt pushes so hard for a monopoly on the means of coercive force.