Adding a line to the FORWARD chain in ipchains/iptables is an easy way to stop this problem for boxes that act as routers. This may help solve the problem on non-ISP networks such as college campuses. rob On Tuesday, November 6, 2001, at 08:14 AM, Heidi wrote: > > Thank you Crispin, > > If this is the case, then perhaps all ISPs should be required to filter > outbound datagrams that have source addresses corresponding to external > networks. Thanks for the info....Heidi > > -----Original Message----- > From: Crispin Cowan [mailto:crispin@private] > Sent: Wednesday, November 07, 2001 2:49 AM > To: Heidi > Cc: CRIME > Subject: Re: DoS > > > Heidi wrote: > >> This sounds like what I was discussing about stopping the attack >> before it >> reaches the intended target. Heidi >> >> >> Projects Agency (DARPA), security technology firm Cs3 is looking at the >> concept of reverse firewalling, or keeping the flood of data from a DoS >> attack dammed up at the source. The Reverse Firewall works by >> filtering >> the outgoing packets from a network. The difference between a >> legitimate >> application that uses high bandwidth and a packet flooding attack is >> that, in the former case, the machine at the other end of the >> conversation is participating in a two-way conversation. In the case of >> a DoS attack, the exchange is one sided. (Source: Vnunet, 6 November) >> > ISPs are already capable of stopping DoS attacks in a similar fashion: > it is called "egress filtering." It works thusly: > > * DoS zombies invariably spoof the source IP address. If they did > not, they would be very easy to trace and shut down. > * An ISPs boarder router can detect spoofed source IP addresses, > because the router will see packets appearing on the "inside" > interface with IP addresses that belong to the "outside." Most > modern routers (pretty much all modern routers) are capable of > being configured to drop such packets. > * The main barrier to this defense is: > * ISPs who cannot be bothered to police their own networks > * hosts on non-ISP networks, i.e. college campuses > > I see very little advantage to the Cs3 scheme described above. The > primary advantage (which they do not discuss) would be if configuration > management was somehow easier in the Cs3 scheme. This is plausible, as > the Cs3 machine need not be configured to know what the "inside" and > "outside" address ranges should be. However, this is a pretty marginal > advantage, because: > > * boarder routers need to know the "inside" and "outside" address > ranges anyways > * an ISP that cannot be bothered to police their own networks when > it is easy is not very likely to buy a new product to police their > own network > > Crispin > > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX Communications, Inc. http://wirex.com > Security Hardened Linux Distribution: http://immunix.org > Available for purchase: http://wirex.com/Products/Immunix/purchase.html > > > >
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:30:25 PDT