North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SYN floods

  • From: Michael Dillon
  • Date: Tue Sep 17 17:23:07 1996

On Tue, 17 Sep 1996, Kent W. England wrote:

> >the attacks involving either a SYN proxy or a machine feeding RST's. These
> >technical details belong on the firewalls list because the people on that
> >list work with building DEFENSIVE mechanisms.
> 
> Except that what we need are routers implementing traffic filtering on
> ISP input ports rather than firewalls defending customer premises from attacks
> coming from the ISPs. 

We need both.

> I think we are dealing with two different markets and two different
> groups of people. I don't think that ISPs will protect themselves from
> this denial of service attack with firewalls. This is a router
> requirement. 

Whether you put the firewall capability in a router or a seperate box does
not matter. The firewalls list is for people who want to talk about
different defensive strategies and how to implement them.

> The most important point is that if we all decide that defense and tracing
> are of limited utility and that filtering is the only way to stop these
> attacks, then we need a few people who read the nanog and iepg lists
> to stand up and say "I will filter and I expect you to do the same if you
> want to peer with me." Otherwise, it will be difficult for any single ISP
> to justify being the first to install peripheral filtering. We must have
> a consensus to move on this issue. Call it "peer pressure".  :-)

You can also frighten people like so...

Copyright 1996 by Michael Dillon, All Rights Reserved

By now everyone is well aware of the exploits of the legendary hacker
Kevin Mitnick who broke into computers at the San Diego Supercomputer
Center administered by Tsutomu Shimomura by using a couple of techniques
known as source spoofing and SYN flooding. But few people are aware that
these techniques have now been mastered by many other hackers estimated to
be 20,000 strong in the USA alone. And surprisingly, few Internet sites
have protected themselves from such attacks by installing simple source
address filters on their routers. A variation on this type of attack shut
down a New York ISP for hours at a time over a four day period early in
September. 

Anyone responsible for any services connected to the Internet should see
to it that basic source address filters are installed in their routers.
These filters will ensure that no packets can enter your network
pretending to be from a trusted machine inside your network. And they will
prevent packets from leaving your network unless they have proper local
source addresses on them. The incoming filters will protect you from
external spoofing attacks by hackers while the outgoing filters will
ensure that you cannot be used as a launching board for hacker attacks and
thus protect you from legal liability.

-----------------end of sample---------

Add some technical details on how to implement source address filtering
and you will get LOTS of sites to install these filters. The copyright
notice is up there because I intend to approach various magazine editors
regarding an article on the subject. But if somebody wants to take a
similar approach on a web page or a mailing list or at LISA or at NANOG or
wherever, I think this is an effective angle to take. You know what they
say; most people don't get the message until they read something for the
SEVENTH time.


Michael Dillon                   -               ISP & Internet Consulting
Memra Software Inc.              -                  Fax: +1-604-546-3049
http://www.memra.com             -               E-mail: [email protected]

- - - - - - - - - - - - - - - - -