[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: IP Filters?
From:       Brian Mitchell <brian () firehouse ! net>
Date:       1997-07-04 12:36:38
[Download RAW message or body]

On Fri, 4 Jul 1997, Paul Ferguson wrote:

> At 03:00 PM 07/03/97 -0400, Brian Mitchell wrote:
> 
> > 
> >Denial of services attacks are essentially impossible to defeat. They will
> >always be there in one form or another.
> >
> 
> 
> The most effective method of minimizing the threat of DoS
> is to use fairly extensive traffic access-filters to protect
> services which do not need to be opened up for public
> connectivity. Also, host computer vendors have significantly
> strengthened their platforms and operating systems against
> these types of attacks by reducing the time-wait state for
> half-open TCP connections, as well as increased the number
> of connection buffers in the stack. I would suggest that
> anyone concerned about this issue contact their OS vendor
> to ask about patches which correct these deficiencies.
> These, in conjunction with TCP Intercept and ingress
> traffic filtering, provides a reasonable amount of
> protection.

Any public service can be used as an attack though. You allow www out?
Great, flood target user wit src port 80 traffic, ack bit set. DPF
technology can help significantly here, but one has to wonder if the time
involved to stop a given attack is not greater than the potential risk. If
someone wants to perform a denial of services attack against you badly
enough, there is a good chance they will do it - and succeed - atleast,
this is true for the average company.

> 
> Of course, ICMP traffic can be blocked altogether using
> traffic filters, and is usually a pretty smart idea to
> do so at the border router.

Unfortunately, tools such as traceroute and ping are useful, so allowing
port_unreach (which unfortunately, opens you up to some denial of services
holes on older boxes), echo_reply,  and time_exceeded might be a good
idea.

Brian Mitchell                           brian@firehouse.net
"BSD code sucks. Of course, everything else sucks far more."
- Theo de Raadt

[prev in list] [next in list] [prev in thread] [next in thread]