> Date: Mon, 08 Apr 1996 18:05:21 -0700
> From: David Schiffrin <dschiffrin @
ucsd .
edu>
>
> More specifically, the web, inbound SMTP ,and POP servers were each flooded
> by SYN packets from the 'net on the services respective ports, thus denying
> legitemate users access to these services. I filtered some, and changed
> DNS/IP addresses for others, but I'm not sure (without dynamic packet filter
> rules) how to address this long-term. These solutions only worked because
> the attacker began the attack (maybe checked it for effectiveness) and
> seemed to leave it running unnattended. Obviously the web and SMTP servers
> need to be accessable to the outside, but how do I make this better.
>
> BTW hosts from a variety of assigned and unassigned networks appeared to be
> the source addresses, and all hosts were/are unreachable from any
> net-access. Could/should the 'wall be doing a ping-check back at connecting
> hosts?.....
This might have been a prelude to a Mitnick-style source-address spoofing
attack. What hosts trust the hosts that were flooded? Does the router
make sure that incoming packets don't have source addresses apparently on
internal nets?
As for the ping-back check, it's probably too late for that when you
become aware that there's an incoming TCP connect, unless you get inside
the kernel. tcpwrapper can do a reverse & forward DNS check, and an
ident check (not worth much, but at least if it succeeds you know the
host is reachable), and could easily be hacked to do the ping. But
inetd (or sendmail or httpd or tcpwrapper) probably does not even see
the connect unless the other side ACKs the SYN-ACK from your side.
Barney Wolff <barney @
databus .
com>
|
|
