New Denial of Service Attack on Panix

Dima Volodin dvv at sprint.net
Wed Oct 2 21:51:34 UTC 1996


Well, my understanding of your idea was that you proposed to detect SYN
packets with unroutable src addresses before they hit the SYN_RCVD
queue. The only way to deem them unroutable is to observe
ICMP_UNREACHs hitting the box in large numbers. Now my first paragraph
just means that an SRC address might be a perfectly routable one without
its being real - an unused address on an ethernet segment is enough for
the attack. Or thousands of them for an untraceable attack.


Dima

Tim Bass writes:
> 
> > 
> > It will, except that a slight modification of the attack (using IP
> > addresses that _don't_ produce ICMP_UNREACH) will get us back to square
> > one.
> > 
> > Anyway, filtering packets with SRC addresses known to generate
> > ICMP_UNREACH at the earliest possible stage might be a good idea.
> 
> I understand paragraph two, but about paragraph 1....
> 
> When I ran the TCP SYN attack using routable source addresses,
> before I patched my attack kernel to allow Spoofers, I
> literally beat-to-death a server on the same subnet and
> the attack has no effect.  
> 
> However, when I hacked the kernel to allow spoofed addresses,
> the attack was severe and immediate.  So, from my tests,
> the attack is only sucessful when the bogus source address
> is UNREACHABLE (which is a defense in the non-random
> attack.
> 
> For clarity, the attack only works when the IP source address
> is UNREACHABLE, this has been my observation here in the lab using
> an source address from my net (however I haven't confirmed this
> with a good source address in another domain but I will...)
> 
> 
> 
> Tim
> 
> 
> > 
> > > Tim
> > 
> > Dima
> > 
> 
> 






More information about the NANOG mailing list