[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ability to withstand well known attacks

To: "'Dan Hollis'" <goemon@anime.net>, "Smith, Donald" <Donald.Smith@qwest.com>
Subject: RE: Ability to withstand well known attacks
From: "Smith, Donald" <Donald.Smith@qwest.com>
Date: Tue, 22 Jul 2003 13:35:25 -0600
Cc: opsec@ops.ietf.org

Ok I had to go back and read about syncookies.
http://cr.yp.to/syncookies.html is a pretty good reference for them.

Now I can see where syncookies would help in the case of a syn flood NOT
designed to
fill the pipe.
I also believe that things like juniper's firewall/ratelimiting helps.
Cisco's receive path acl's also help.
Limiting what systems can communicate directly with your router via acl's 
also helps.

I personally think this last method is the best method as it also protects
against other yet to be discovered attacks. 
If you can only ssh to my routers from a few "trusted" networks
then an new ssh vulnerability is mitigated (not eliminated but the threat is
lessened).

Are any of the router vendors implementing syncookies?

Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
(coffee != sleep) & (!coffee == sleep)

> -----Original Message-----
> From: Dan Hollis [mailto:goemon@anime.net]
> Sent: Tuesday, July 22, 2003 12:33 PM
> To: Smith, Donald
> Cc: opsec@ops.ietf.org
> Subject: RE: Ability to withstand well known attacks
> 
> 
> On Tue, 22 Jul 2003, Smith, Donald wrote:
> > I disagree. Floods will always affect systems. Fill the 
> pipe and the effect
> > is the same the network element will be unreachable.
> 
> a fill the pipe dos is quite different from syn flood dos 
> which doesnt 
> fill the pipe. thats the whole point of synflood really -- a 
> dos without exceeding 
> bandwidth.
> 
> i have a 45mbps ds3, and 768k of syn's should not render my router 
> unusable.
> 
> > As long as the network element/service doesn't crash, or 
> hang I think that
> > is enough. No matter what you do there will always be a way 
> to temporarily
> > remove a service by resource exhaustion.
> 
> yes but there is a solution for synfloods to prevent that kind of 
> exhaustion, so i would say anyone who fails a simple low bandwidth 
> synflood would fail the rfc.
> 
> -Dan
> -- 
> [-] Omae no subete no kichi wa ore no mono da. [-]
>

Follow-Ups:
- RE: Ability to withstand well known attacks
  - From: Dan Hollis <goemon@anime.net>

Prev by Date: RE: Ability to withstand well known attacks
Next by Date: Re: Ability to withstand well known attacks
Previous by thread: RE: Ability to withstand well known attacks
Next by thread: RE: Ability to withstand well known attacks
Index(es):
- Date
- Thread