North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New form of packet attack named Stream

  • From: Pat Myrto
  • Date: Fri Jan 21 16:14:01 2000

Alex P. Rudnev has declared that:
> > > e-mail me asking for the code.
> > 
> > Actually, you provided enough details, so any unix guy who knows
> > his sockets can write the program in fifteen minutes.
> > 
> > This type of attack was known for a long time (and there are even
> > nastier variations using TCP header bits and fragments), and, unfortunately,
> > there's no good defense against it.
> There is one base rule - you (OS) MUST limit resources (CPU, MEMORY, buffers,
> sockets, etc) catched by any SINGLE origin (IP address, program, service).
> Such approach broke just any except a few DoS attacks - for example, if you try
> to exhaust memory attaking single service, then (1) service can't catch all
> memory because it's the SINGLE origin, and (2) one SRC address can't catch many
> resources because it's SINGLE origin, and (3) you can't generate too many
> different addresses in case of reverse-filtering.

Any ideas/suggestions to hacks to kernel, etc (i.e., freebsd, linux, etc)
to impose such limits (configurable by admin, preferably)?  Especially
in the CPU usage and memory areas (perhaps sockets/handles, too).

One can limit handles, memory, etc for a given user process, but I havent
seen any such ability that would affect the TCP stack directly (the load
of many of these attacks does not launch or run user-mode code - just
eats up all the CPU and/or memory).

This idea sounds like one of the potentially more viable approaches.  While
this would not solve issues of saturating upstream links that cant handle
volume, it WOULD help a lot to enable targeted machines/servers to weather
an attack.

Routers - thats something the vendors should think about looking into.

Pat M/HW

>  > > The core routers areindeed vulnerable; is there any router
> which > has an access list for restricting packet flow to the routing processor?
> > (My knowledge of latest-and-greatest features from OFRV is somewhat outdated).
> > 
> > A toyed with the idea of reverse-path verification coupled with
> > some kind of super-squelch message; but so far all such schemes have
> > holes in them.  DoS attacks are a real scourge.
> > 
> > --vadim
> > 
> > 
> Aleksei Roudnev,
> (+1 415) 585-3489 /San Francisco CA/

#include <std.disclaimer.h>    Pat Myrto (pat at rwing dot ORG)     Seattle WA
How government differs from every other agency in society: The others
persuade; government compels.  Government is the only entity where the use
of force - including deadly force - to achieve an end is OK.  This is why
govt pushes so hard for a monopoly on the means of coercive force.