Great Circle Associates Firewalls
(September 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: SYS Floods - solution-2
From: Todd Truitt <Todd . Truitt @ evolving . com>
Date: Mon, 16 Sep 1996 13:34:59 -0600
To: dschiffrin @ ucsd . edu
Cc: firewalls @ GreatCircle . COM, Todd . Truitt @ evolving . com 
> 
> There are a few problems with this. Here are a few I've just come up with
> off the top of my head.
> 
> 1. I'm not aware of any term servers which could do this. (admittedly this
> is a weak one)

I don't know any either.  But, this shouldn't be *that* hard to create.

> 2. unless your 'smart term server' is VERY smart(spendy) it will break
> protocols like FTP (which passes IP and port _inside_ the packets)

you should be able to parse off the port.

> 3. some (many) ISP's and schools assign static IP's per user. (this probably
> doesn't matter)
> 
Shouldn't matter.

> 4. your objective could be achieved much much more easily by having the term
> server filter and drop packets not from the IP address assigned. (and using
> today's term servers)
> 
> 
> Another problem is with your assumptions. Were I to launch such an attack,
> I'd use compromised, fast connected machines with 'cron' not my own
> traceable dialup. Most educational institutions have machines connected to
> the net, which students in programming classes have plenty of access to, for
> this sort of attack.

Definite problem.

> 
> You seem to assume these are teenage miscreants rather than folks with a
> serious economic incentive. I'm not sure that's reasonable. Surely today,
> with the recent publishing of code, lots of wannabes will try it out, but
> until we figure out a good way around it 

The SYN denial of service attack is targeted to incapacitate the trusted
host of a server.  By taking the trusted server off line through floods, the
attacker can spoof the address of the trusted server and gain access to any
host it serves.  The attack on the NY ISP seems to be just an effort to
trash that ISP, not to find trade secrets or change the Dept. of Justice Home
Page.


> (perhaps a different way for TCP
> buffers to be allocated ?) we're all vulnerable. If I secure the few
> thousand dialup ports I can, I'm only a small bit more protected than I was.
> The other few million out there are still wide open. I cannot imagine that
> this could be universally enforced.
>

Point taken.


> Just my $.02
>

Gracias.


--T

_____________________________________________________________________________
               R. Todd Truitt      Todd .
 Truitt @
 evolving .
 com
                         Evolving Systems, Inc.
Indexed By Date Previous: RE: SYS Floods - solution-2
From: Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>
Next: Re: Newbie question
From: Rick Smith <smith @ sctc . com>
Indexed By Thread Previous: SYN Floods - solution-2 [was misspelled as Re: SYS Floods - solution-2 ]
From: Chris Garrigues <cwg @ DeepEddy . Com>
Next: Re: SYS Floods - solution-2
From: nsayer @ quack . kfu . com (Nick Sayer)
Google
 
Search Internet Search www.greatcircle.com