North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: syn attack and source routing
Alexis Rosen <[email protected]> wrote: > > Or better yet, the ICMP TRACEROUTE message, which would go > > hop by hop and on every hop generates a response message. > > Augmented with PROXY TRACEROUTE which will cause the destination > > box to send out the ICMP TRACEROUTE. >I'm very surprised that noone has mentioned what seems to me to be the >*really* serious drawback to this scheme. Remember how much grief you had >the last time someone did a news sendsys forged to your name? (If it's >never happened to you, be glad...) This sort of attack got so bad that >the default setup these days is to ignore sendsys. Yes, indeed a single traceroute packet with forged address can generate many responses. However, there is at least one technique to eliminate its usefulness as an attack weapon -- namely source address filtering (which is going to be implemented anyway, sooner or later; there are other types of attacks). Another way is to have ICMP TRACEROUTE to return one packet with all information _and_ the IP address of the next hop router (i.e. replace recursive behaviour with iterative) . It is still more useful than UDP kludge; and it will still work in case of load-sharing. Actually, the "multiplication" type of flooding attacks is nothing new, but they are more easily done on application level. For example, connecting to different SNMP speakers and causing them to send a long error reply to the target address. Or subscribing victim to many many mailing lists (including USENET gateways, urgh!). Or using MBONE feeds creatively. --vadim - - - - - - - - - - - - - - - - -
|