Re: Ability to withstand well known attacks

[ericb@digitaljunkyard.net]

 "dh" == Dan Hollis <goemon@anime.net> writes:

dh> On 22 Jul 2003 ericb@digitaljunkyard.net wrote:
>> Syncookies have their own problems (the "immaculate connection"*), and
>> rely on good cryptographically strong random numbers, which are not
>> always available on embedded devices.

dh> If you dont have good crypto strong random numbers, you probably shouldnt 
dh> be speaking tcp in the first place... immaculate connection would be the 
dh> least of your worries.

dh> There are *always* sources of entropy to seed prng's. Turning the device 
dh> on and off is one.

Or packet arrival times.  Especially in a network device :)

dh> Perhaps a strong prng could be part of the opsec requirement?

Yes.  Forest for the trees...  That is definitely a requirement,
considering the existence of TCP hijacking/ISN prediction as well
known attacks, and the requirements for mgmt traffic encryption.

Of course, you then have to specify where that PRNG must be used.

>> Another acceptable solution is line rate ACLs for traffic TO the
>> device (as opposed to THROUGH the device).  Your 768k SYN flood just
>> would not make it to the TCP server.

dh> Performance impact though...

Line rate filter by definition has no performance impact, at least
according to our document.  The device should be able to protect
itself against unwanted packets, regardless of ingress rate, without
affecting transit traffic latency or local services.  Witness Juniper.

We do not know what the Internet will cook up next, we just know it
will be evil.  Fixing SYN floods fixes a single problem.  General
filtering mechanisms give router engineers the tools to fix many
problems.  Teach a man to fish....

ericb