North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Counter DoS

  • From: Rachael Treu
  • Date: Mon Mar 15 10:55:34 2004

Leaving directed-bcast open would accomplish this on these devices, as well 
as many others.  A bigger problem here is that these irresponsible network
polyps would offer an icmp-independent amplifier.  They essentially open 
smurf amplification to any other protocol.  Whereas a network might clobber 
icmp at its border(s), a tcp or udp attack on a "friendly" port would
elicit the same effect as the ping-of-death of old, and be permitted
traversal of the traditional front lines of defense.

Contrbuting to firewalking and general network recon, the bane of icmp is
in its inherent behavior.  It is designed to remit success and failure
messages disclosing path and node details.  This is its sole function, and
is therefore non-negotiable and suspect and frequently dropped or monitored
by edge devices.  tcp and udp, on the other hand, are now being twisted to 
behave the same way when encountered by these stupid vigilante firewalls: 
send a (malicious) stream of data, invoke an equal and opposite stream of 
(malicious) data.  The creepy innovators of this nonsense appliance just
used the application layer to defile the fundamental nature of 
ubiquitous protocols.  Think about how we generally react when it appears
that M$ has done that.

Just give the whole bloody Internet a big red button, and train users' 
crosshairs on the first thing that moves.  I'll cheerlead outside the 
court proceedings when this obnoxious vendor sees its first lawsuit or
dissolution hearing.  

No carrier would allow this on its network, anyway.

--ra



On Thu, Mar 11, 2004 at 04:10:04PM -0500, Deepak Jain said something to the effect of:
> 
> 
> If you wanted to do that, wouldn't the firewall just need 
> directed-broadcast left open or emulate similar behavior, or even 
> turning ip unreachables back on?
> 
> Flooding pipes accidentally is easy enough. Now people are selling 
> products to do it deliberately.
> 
> Yeesh.
> 
> I saw a license plate this week (Virginia -IWTFM) I thought that was clever.
> 
> Deepak
> 
> Gregory Taylor wrote:
> 
> >
> >
> >Yes, lets allow the kiddies who already get away with as little work as 
> >they can in order to produce the most destruction they can, the ability 
> >to use these 'Security Systems' as a new tool for DoS attacks against 
> >their enemies.
> >
> >Scenerio:
> >
> >Lets say my name is: l33th4x0r
> >
> >I want to attack  joeblow.cable.com because joeblow666 was upset that I 
> >called his mother various inappropriate names.
> >
> >I find IP for joeblow.cable.com to be 192.168.69.69
> >
> >I find one of these 'security' systems, or multiple security systems, 
> >and i decide to forge a TCP attack from 192.168.69.69 to these 'security 
> >systems'.
> >
> >These 'security systems' then, thinking joeblow is attacking their 
> >network, will launch a retaliatory attack against the offender, 
> >192.168.69.69 thus destroying his connectivity.
> >
> >Kiddie 1   Joeblow 0    The Internet as a whole 0
> >
> >
> >Greg
> >
> >Rachael Treu wrote:
> >
> >>Mmm.  A firewall that lands you immediately in hot water with your
> >>ISP and possibly in a courtroom, yourself.  Hot.
> >>
> >>Legality aside...
> >>
> >>I don't imagine it would be too hard to filter these retaliatory
> >>packets, either.  I expect that this would be more wad-blowing
> >>than cataclysm after the initial throes, made all the more ridiculous
> >>by the nefarious realizing the new attack mechanism created by these 
> >>absurd boxen.  A new point of failure and an amplifier rolled all
> >>into one!  Joy!
> >>
> >>More buffoonery contributed to the miasma.  Nice waste of time,
> >>Symbiot.  Thanks for the pollution, and shame on the dubious ZDnet
> >>for perpetuating this garbage.
> >>
> >>ymmv,
> >>--ra
> >>
> >> 
> >>
> >
> >
> >
> >

-- 
rachael treu       [email protected]
..quis costodiet ipsos custodes?..