Re: DoS

From: Robert Martin (rmartin@private)
Date: Wed Nov 07 2001 - 10:07:50 PST

  • Next message: Heidi: "strange mail"

    Adding a line to the FORWARD chain in ipchains/iptables is an easy way 
    to stop this problem for boxes that act as routers. This may help solve 
    the problem on non-ISP networks such as college campuses.
    
    rob
    
    On Tuesday, November 6, 2001, at 08:14 AM, Heidi wrote:
    
    >
    > Thank you Crispin,
    >
    > If this is the case, then perhaps all ISPs should be required to filter
    > outbound datagrams that have source addresses corresponding to external
    > networks.  Thanks for the info....Heidi
    >
    > -----Original Message-----
    > From: Crispin Cowan [mailto:crispin@private]
    > Sent: Wednesday, November 07, 2001 2:49 AM
    > To: Heidi
    > Cc: CRIME
    > Subject: Re: DoS
    >
    >
    > Heidi wrote:
    >
    >> This sounds like what I was discussing about stopping the attack 
    >> before it
    >> reaches the intended target.  Heidi
    >>
    >>
    >> Projects Agency (DARPA), security technology firm Cs3 is looking at the
    >> concept of reverse firewalling, or keeping the flood of data from a DoS
    >> attack dammed up at the source.  The Reverse Firewall works by 
    >> filtering
    >> the outgoing packets from a network. The difference between a 
    >> legitimate
    >> application that uses high bandwidth and a packet flooding attack is
    >> that, in the former case, the machine at the other end of the
    >> conversation is participating in a two-way conversation. In the case of
    >> a DoS attack, the exchange is one sided.  (Source: Vnunet, 6 November)
    >>
    > ISPs are already capable of stopping DoS attacks in a similar fashion:
    > it is called "egress filtering."  It works thusly:
    >
    >     * DoS zombies invariably spoof the source IP address.  If they did
    >       not, they would be very easy to trace and shut down.
    >     * An ISPs boarder router can detect spoofed source IP addresses,
    >       because the router will see packets appearing on the "inside"
    >       interface with IP addresses that belong to the "outside." Most
    >       modern routers (pretty much all modern routers) are capable of
    >       being configured to drop such packets.
    >     * The main barrier to this defense is:
    >           * ISPs who cannot be bothered to police their own networks
    >           * hosts on non-ISP networks, i.e. college campuses
    >
    > I see very little advantage to the Cs3 scheme described above. The
    > primary advantage (which they do not discuss) would be if configuration
    > management was somehow easier in the Cs3 scheme.  This is plausible, as
    > the Cs3 machine need not be configured to know what the "inside" and
    > "outside" address ranges should be. However, this is a pretty marginal
    > advantage, because:
    >
    >     * boarder routers need to know the "inside" and "outside" address
    >       ranges anyways
    >     * an ISP that cannot be bothered to police their own networks when
    >       it is easy is not very likely to buy a new product to police their
    >       own network
    >
    > Crispin
    >
    > --
    > Crispin Cowan, Ph.D.
    > Chief Scientist, WireX Communications, Inc. http://wirex.com
    > Security Hardened Linux Distribution:       http://immunix.org
    > Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    >
    >
    >
    >
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:30:25 PDT