RE: DoS

From: Heidi (mcps@private)
Date: Tue Nov 06 2001 - 08:14:39 PST

  • Next message: Heidi: "fire damage/data recovery"

    Thank you Crispin,
    
    If this is the case, then perhaps all ISPs should be required to filter
    outbound datagrams that have source addresses corresponding to external
    networks.  Thanks for the info....Heidi
    
    -----Original Message-----
    From: Crispin Cowan [mailto:crispin@private]
    Sent: Wednesday, November 07, 2001 2:49 AM
    To: Heidi
    Cc: CRIME
    Subject: Re: DoS
    
    
    Heidi wrote:
    
    >This sounds like what I was discussing about stopping the attack before it
    >reaches the intended target.  Heidi
    >
    >
    >Projects Agency (DARPA), security technology firm Cs3 is looking at the
    >concept of reverse firewalling, or keeping the flood of data from a DoS
    >attack dammed up at the source.  The Reverse Firewall works by filtering
    >the outgoing packets from a network. The difference between a legitimate
    >application that uses high bandwidth and a packet flooding attack is
    >that, in the former case, the machine at the other end of the
    >conversation is participating in a two-way conversation. In the case of
    >a DoS attack, the exchange is one sided.  (Source: Vnunet, 6 November)
    >
    ISPs are already capable of stopping DoS attacks in a similar fashion:
    it is called "egress filtering."  It works thusly:
    
        * DoS zombies invariably spoof the source IP address.  If they did
          not, they would be very easy to trace and shut down.
        * An ISPs boarder router can detect spoofed source IP addresses,
          because the router will see packets appearing on the "inside"
          interface with IP addresses that belong to the "outside." Most
          modern routers (pretty much all modern routers) are capable of
          being configured to drop such packets.
        * The main barrier to this defense is:
              * ISPs who cannot be bothered to police their own networks
              * hosts on non-ISP networks, i.e. college campuses
    
    I see very little advantage to the Cs3 scheme described above. The
    primary advantage (which they do not discuss) would be if configuration
    management was somehow easier in the Cs3 scheme.  This is plausible, as
    the Cs3 machine need not be configured to know what the "inside" and
    "outside" address ranges should be. However, this is a pretty marginal
    advantage, because:
    
        * boarder routers need to know the "inside" and "outside" address
          ranges anyways
        * an ISP that cannot be bothered to police their own networks when
          it is easy is not very likely to buy a new product to police their
          own network
    
    Crispin
    
    --
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:30:18 PDT