Re: Ability to withstand well known attacks

[ericb@digitaljunkyard.net]

 "dh" == Dan Hollis <goemon@anime.net> writes:

dh> On Tue, 22 Jul 2003, George Jones wrote:
>> > OPSEC BOF - Operation Security Requirements for
>> > IP Network Elements Session
>> > 17 July 2003, IETF #57, Vienna
>> > BS: (Bill Somerfeld, Sun) Vendors will have trouble
>> >     with 2.3.8.  No vendor could comply with
>> >     2.3.8, it is too hard as written.  GJ: admits that
>> >     2.3.8 needs work.  BS: it is also a moving target!
>> OK, this makes two vendors who strenuously objected to this
>> requirement.   I'd like feedback/discssion/suggested wording.

dh> Devices should at the very least survive "obvious" attacks like SYN 
dh> floods. Management ports should not become unusable simply because the 
dh> device was flooded with bogus SYNs. (In this case syncookies would be a 
dh> requirement)

Syncookies have their own problems (the "immaculate connection"*), and
rely on good cryptographically strong random numbers, which are not
always available on embedded devices.

Another acceptable solution is line rate ACLs for traffic TO the
device (as opposed to THROUGH the device).  Your 768k SYN flood just
would not make it to the TCP server.

dh> I cant begin to count the endless list of vendors who cant even meet that 
dh> simple requirement.

Hence our introduction of this requirement.  "You have to meet at
least a common sense security baseline before we'll even consider your
hardware."

ericb

* The Immaculate Connection: If you can guess the ISN that the server
  WOULD have produced if you sent it a SYN packet, you can just send
  in an ACK packet for that ISN.  This results in a full TCP
  connection with out any SYN.  This is difficult in theory, but bad
  PRNGDs make it possible or even trivial.