Todd Truitt <Todd .
Truitt @
evolving .
com> writes:
> Well, using the following assumptions:
>
> 1. The majority of these hacks come from dial-up ISPs.
> 2. The others come from the university arena.
> 3. Subscribers and students will sign contracts upon
> service installation/start-up that any abuse can
> and will be penalized.
> 4. The dial-up access is similar to the setup here, i.e. dial
> into a terminal server, which dynamically assigns an IP
> address from a pool: PPP-10 180.191.152.10=20
>
> [Idea about validating address translation snecked]
In the case of modem servers and similar setups there's probably a
simpler approach that doesn't require address translation or any other
additional stuff increasing latency, provided that the modem server is
connected to the router via ethernet or another bus system:
Add a (hidden) box to the ethernet running its interface with
promiscuous mode enabled. Use a hacked-up tcpdump (or tcpdump |
some-script if this doesn't cause too much overhead) to scan for
attacks, either counting SYN packets for each destination or simply
checking for impossible src/dest pairs. The latter approach defends
against general IP spoofing.
To protect the victim the box should probably disable routing to the
victim by host routing it through a down interface or reject route or
whatever. To track down the attacker it could possibly have the modem
server temporarily disable each line to see when the attack stops
(having the modem server do this has the advantage that it can check
this directly without disabling any service). As a last resort, lines
could be dropped one after another, but I suppose this would upset
some customers and should only be done manually, really.
Aside from not increasing latency this approach has the advantage that
it's not burdening some specialized router or modem server hardware
with this additional job but uses a standard box instead. Any cheap
Un*x PC should do the job. And if it runs on a notebook it could
probably make a decent portable detector to trace attacks within the
archetypal university LAN.
Comments?
Ben
--
Ben(edikt)? Stockebrand Runaway ping.de Admin---Never Ever Trust Old Friends
My name and email address are not to be added to any list used for advertising
purposes. Any sender of unsolicited advertisement e-mail to this address im-
plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.
References:
|
|
