FW: Internet SYN Flooding, spoofing attacks

Date view Thread view Subject view Author view

From: Jim Whitehead (ejw@ics.uci.edu)
Date: Fri Feb 11 2000 - 16:29:19 PST


This recent post to the ietf@ietf.org mailing list has good links about the
recent DoS attacks.

- Jim

-----Original Message-----
From: Michael H. Warfield [mailto:mhw@wittsend.com]
Sent: Friday, February 11, 2000 1:18 PM
To: Bernie Volz
Cc: IETF@ietf.org
Subject: Re: Internet SYN Flooding, spoofing attacks

On Fri, Feb 11, 2000 at 02:40:15PM -0500, Bernie Volz wrote:
> Regarding the recent TCP SYN Flooding attacks, why aren't ALL ISPs
> required to put filtering on their networks that PREVENTS packets with
> invalid source addresses ever entering their infrastructure? If every
> site connected to the Internet did this, spoofing would be much more
> difficult because you couldn't do it. Sure, you could spoof an address
> from YOUR network, but that's all. And guess what, it would be much
> easier to track and thus to shut down the intrusions should they occur.

        Clue alert...

        The recent attacks were not TCP SYN Floods.

        Please check recent Bugtraq and Cert information regarding
Distributed DoS attacks.

        Further references:

http://xforce.iss.net/alerts/advise40.php3
http://www.cert.org/advisories/CA-2000-01.html
http://www.fbi.gov/nipc/trinoo.htm

        Detailed analysis of TFN (Tribe Flood Network), Trin00, and
Stacheldraht (Barbed Wire) are here:

http://staff.washington.edu/dittrich/misc/tfn.analysis
http://staff.washington.edu/dittrich/misc/trinoo.analysis
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

        Contrary to popular belief and the common press, TFN2K (Tribe
Flood Network 2000) also has Windows versions of the slave daemons
as well as Solaris and Linux versions.

        A lot of these attacks appeared to be SMURF style attacks and
TFN (Tribe Flood Network) and TFN2K have distributed smurf capabilities.

        This wasn't even close to being a TCP SYN flood.

        As far as spoofing goes, in their SMURF mode, the only spoofing
is the src_addr part of the ICMP echo that the slave systems send to
their LOCAL broadcast address. That src_addr is the address of the
system being attacked by ICMP_ECHOREPLY packets that simply consume all
its bandwidth. Check out the analysis.

        Anti spoofing entry filters would have been of zero effect.

> Thus ever edge router should have filter lists that prevent it
> forwarding traffic out to the Internet (ISPs network) any packet that
> does not have a source address that is valid from that site.

        Would not have helped except maybe in some of the UDP attack
modes of the slaves.

> I would hope that lots of ISPs already do this. But, perhaps not.

> - Bernie Volz
> Process Software

        Mike

--
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Fri Feb 11 2000 - 16:36:12 PST