North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New form of packet attack named Stream
Alex P. Rudnev has declared that: > > > > > e-mail me asking for the code. > > > > Actually, you provided enough details, so any unix guy who knows > > his sockets can write the program in fifteen minutes. > > > > This type of attack was known for a long time (and there are even > > nastier variations using TCP header bits and fragments), and, unfortunately, > > there's no good defense against it. > There is one base rule - you (OS) MUST limit resources (CPU, MEMORY, buffers, > sockets, etc) catched by any SINGLE origin (IP address, program, service). > > Such approach broke just any except a few DoS attacks - for example, if you try > to exhaust memory attaking single service, then (1) service can't catch all > memory because it's the SINGLE origin, and (2) one SRC address can't catch many > resources because it's SINGLE origin, and (3) you can't generate too many > different addresses in case of reverse-filtering. Any ideas/suggestions to hacks to kernel, etc (i.e., freebsd, linux, etc) to impose such limits (configurable by admin, preferably)? Especially in the CPU usage and memory areas (perhaps sockets/handles, too). One can limit handles, memory, etc for a given user process, but I havent seen any such ability that would affect the TCP stack directly (the load of many of these attacks does not launch or run user-mode code - just eats up all the CPU and/or memory). This idea sounds like one of the potentially more viable approaches. While this would not solve issues of saturating upstream links that cant handle volume, it WOULD help a lot to enable targeted machines/servers to weather an attack. Routers - thats something the vendors should think about looking into. Pat M/HW > > > > > The core routers areindeed vulnerable; is there any router > which > has an access list for restricting packet flow to the routing processor? > > (My knowledge of latest-and-greatest features from OFRV is somewhat outdated). > > > > A toyed with the idea of reverse-path verification coupled with > > some kind of super-squelch message; but so far all such schemes have > > holes in them. DoS attacks are a real scourge. > > > > --vadim > > > > > > Aleksei Roudnev, > (+1 415) 585-3489 /San Francisco CA/ > > -- #include <std.disclaimer.h> Pat Myrto (pat at rwing dot ORG) Seattle WA How government differs from every other agency in society: The others persuade; government compels. Government is the only entity where the use of force - including deadly force - to achieve an end is OK. This is why govt pushes so hard for a monopoly on the means of coercive force.
|