[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: IP Filters?
From:       Paul Ferguson <pferguso () cisco ! com>
Date:       1997-07-04 9:14:16
[Download RAW message or body]

At 03:00 PM 07/03/97 -0400, Brian Mitchell wrote:

> 
>Denial of services attacks are essentially impossible to defeat. They will
>always be there in one form or another.
>


While that is true to some extent, there are certainly things one can
do which help protect to a degree.

There are several different versions of DoS attacks, but the
ones which have been used predominantly are the TCP SYN and
UDP flooding attacks.

What these two attacks share are that they have been known to
be launched by attackers using bogus source addresses, addresses
which are not found in the global routing system. TCP SYN attacks
which use this methodology can be thwarted using a TCP 'intercept',
a TCP proxy which will not complete the TCP three-way handshake
unless the originator of the TCP connection is reachable in the
routing table.

However, there is a more insidious form of this attack which uses
random, bogus source addresses which *can* be found in the global
routing system, so that a return path is available to complete the
initial TCP three-way handshake. This has the unfortunate
side-effect of not only affecting the initial target, but also
an unwary third-party to whom the bogus addresses used actually
belong.

The same holds true for UDP flooding, however, there is no
effective mechanism to proxy UDP since it is connectionless.

The most effective method of minimizing the threat of DoS
is to use fairly extensive traffic access-filters to protect
services which do not need to be opened up for public
connectivity. Also, host computer vendors have significantly
strengthened their platforms and operating systems against
these types of attacks by reducing the time-wait state for
half-open TCP connections, as well as increased the number
of connection buffers in the stack. I would suggest that
anyone concerned about this issue contact their OS vendor
to ask about patches which correct these deficiencies.
These, in conjunction with TCP Intercept and ingress
traffic filtering, provides a reasonable amount of
protection.

Of course, ICMP traffic can be blocked altogether using
traffic filters, and is usually a pretty smart idea to
do so at the border router.

Note: ingress traffic filtering is a concept of filtering
traffic leaving your administrative domain so that only
traffic which is announced via routing (e.g BGP) is allowed
to exit your routing domain. This does nothing to protect
you from an attack, but it does disallow downstream users
from launching attacks using nonexistent source addresses.
I have an I-D (Internet Draft) which is now expired on
the topic, which I plan to update and resubmit prior to
Munich/IETF.

ftp://ds.internic.net/internet-drafts/draft-ferguson-ingress-filtering-02.txt

- paul


--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: pferguso@cisco.com                         c i s c o S y s t e m s

[prev in list] [next in list] [prev in thread] [next in thread]