improved synflood protection & detection

From: VaX#n8 (vaxat_private)
Date: Wed May 06 1998 - 03:54:37 PDT

  • Next message: David Dawes: "Re: xterm and Xaw library vulnerability (XFree86 advisory)" 

    I came across some information that should prove useful to those
trying to defend against (and conversely, those writing*)
denial-of-service and other "attacks" which rely on not being able
to reach certain IP addresses.

Consulting
<URL:ftp://ftp.isi.edu/in-notes/iana/assignments/ipv4-address-space>
one finds that there are several classes of reserved addresses,
distinct from the private addresses codified in the related RFCs:

<URL:ftp://ftp.isi.edu/in-notes/rfc1918.txt>
<URL:ftp://ftp.isi.edu/in-notes/rfc1627.txt>
<URL:ftp://ftp.isi.edu/in-notes/rfc1597.txt>

Furthermore, they are not mentioned in the CERT advisory
<URL:http://www.cert.org/advisories/CA-96.21.tcp_syn_flooding.html>
and thus bear mentioning.

Notably, the following address blocks are reserved:

064-095/8       IANA - Reserved                         Sep 81
096-126/8       IANA - Reserved                         Sep 81
213/8           IANA - Reserved                         Sep 81
217/8           IANA - Reserved                         Sep 81
218-223/8       IANA - Reserved                         Sep 81
240-255/8       IANA - Reserved                         Sep 81

The following blocks are assigned to the IANA and often
have special meanings:

000/8           IANA                                    Sep 81
001/8           IANA                                    Sep 81
002/8           IANA                                    Sep 81
005/8           IANA                                    Jul 95
007/8           IANA                                    Apr 95
010/8           IANA - Private Use                      Jun 95
014/8           IANA - Public Data Network              Jun 91
023/8           IANA                                    Jul 95
024/8           IANA - Cable Block                      Jul 95
027/8           IANA                                    Apr 95
037/8           IANA                                    Apr 95
039/8           IANA                                    Apr 95
041/8           IANA                                    May 95
042/8           IANA                                    Jul 95
049/8           Joint Technical Command                 May 94
                Returned to IANA                        Mar 98
050/8           Joint Technical Command                 May 94
                Returned to IANA                        Mar 98
058/8           IANA                                    Sep 81
059/8           IANA                                    Sep 81
060/8           IANA                                    Sep 81
127/8           IANA                                    Sep 81
224-239/8       IANA - Multicast                        Sep 81

Many if not all of the addresses in the above blocks are unused.
Affording ingress to TCP packets to which you cannot respond
seems pointless and a bit temerarious.
It may be worthwhile to generate list of all address blocks not
recently routed and construct a filter based on those.
It may also be useful to log these packets for auditing, so
you can detect if the status of a block changes.

[*] Information is a double-edged sword.  Wield two.
--
VaX#n8, League of Non-aligned Wizards
``The most terrible intelligence imaginable''

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:52:30 PDT