From firewalls-gc Fri Jul 04 09:14:16 1997 From: Paul Ferguson Date: Fri, 04 Jul 1997 09:14:16 +0000 To: firewalls-gc Subject: Re: IP Filters? X-MARC-Message: https://marc.info/?l=firewalls-gc&m=87619474410194 At 03:00 PM 07/03/97 -0400, Brian Mitchell wrote: > >Denial of services attacks are essentially impossible to defeat. They will >always be there in one form or another. > While that is true to some extent, there are certainly things one can do which help protect to a degree. There are several different versions of DoS attacks, but the ones which have been used predominantly are the TCP SYN and UDP flooding attacks. What these two attacks share are that they have been known to be launched by attackers using bogus source addresses, addresses which are not found in the global routing system. TCP SYN attacks which use this methodology can be thwarted using a TCP 'intercept', a TCP proxy which will not complete the TCP three-way handshake unless the originator of the TCP connection is reachable in the routing table. However, there is a more insidious form of this attack which uses random, bogus source addresses which *can* be found in the global routing system, so that a return path is available to complete the initial TCP three-way handshake. This has the unfortunate side-effect of not only affecting the initial target, but also an unwary third-party to whom the bogus addresses used actually belong. The same holds true for UDP flooding, however, there is no effective mechanism to proxy UDP since it is connectionless. The most effective method of minimizing the threat of DoS is to use fairly extensive traffic access-filters to protect services which do not need to be opened up for public connectivity. Also, host computer vendors have significantly strengthened their platforms and operating systems against these types of attacks by reducing the time-wait state for half-open TCP connections, as well as increased the number of connection buffers in the stack. I would suggest that anyone concerned about this issue contact their OS vendor to ask about patches which correct these deficiencies. These, in conjunction with TCP Intercept and ingress traffic filtering, provides a reasonable amount of protection. Of course, ICMP traffic can be blocked altogether using traffic filters, and is usually a pretty smart idea to do so at the border router. Note: ingress traffic filtering is a concept of filtering traffic leaving your administrative domain so that only traffic which is announced via routing (e.g BGP) is allowed to exit your routing domain. This does nothing to protect you from an attack, but it does disallow downstream users from launching attacks using nonexistent source addresses. I have an I-D (Internet Draft) which is now expired on the topic, which I plan to update and resubmit prior to Munich/IETF. ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-02.txt - paul -- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: pferguso@cisco.com c i s c o S y s t e m s