Great Circle Associates Firewalls
(September 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: SYS Floods - solution-2
From: amolitor @ anubis . network . com (Andrew Molitor)
Date: Tue, 17 Sep 96 13:19:47 CDT
To: firewalls @ greatcircle . com 
peter @
 baileynm .
 com, replying to (I think) paul @
 mci .
 net wrote:
>> Either pre-fill the packet with enough (bogus?) recorded routes to
>> fill the IP options field
>
>That would be hard to get around, yes. Any magic tag you put in there
>to say "this is REAL recorded info" can be spoofed by the attacker too.
>Hmmm... I don't know enough to think of a counter to that.

	You have to use due care. At some topological positions in the
Internet, you'd strip out any RR options you found, and replace them,
at others, you'd leave them alone and just record yourself in it.

	For example, at ingress from a customer to an ISP, you'd strip
and replace. At ingress from an untrusted or unco-operative downstream
ISP, you might do the same. In the middle of the cloud, or at any sort of
egress from it, you'd respect any existing option.

	It's by no means perfect, I figure it's about as useful as the
return path header in a usenet article -- quite possibly has some useful
info in it, but it's a *starting* *point* for investigation, not a
definitive answer.

>> Besides, the backbone routers of most service providers probably
>> can't do this and keep up with current traffic loads, since any
>> packet rewriting is generally out of the fast path...
>
>It would probably be possible to get that fixed if this turns into a big
>enough problem.

	You'd do the hard work at the edges, and only update the RR options
in the middle. This is hard enough, and is indeed out of the slow path for
most everything. However, you'd only be doing it to SYN packets, which
account for something like 10% or less of the traffic. Assuming that
essentially all traffic is legitimate, you have 5 setup/teardown packets and
at least 1 data packet for a TCP connection, and RR options would, by and
large, appear only in 1 of those (or possibly 2, depending). All UDP
traffic, and at least 5/6 of the TCP traffic could still be fast-pathed.

	And, to be sure, it's a fairly safe bet that the fast path would
learn about RR options, quickly, if this became standard practice.


	Regardless, the main thing is to persuade the bulk of front-line
connectivity providers to filter out bogus source addresses. I called up
my ISP already, and also told our network security guys to filter at our
router as well. Everyone else on this list has done the same, right? ;)

		Andrew
Indexed By Date Previous: Re: Internet policy
From: Robert Hanson <roberth @ cet . com>
Next: Re: Internet policy
From: Rod Carty <rcarty @ nwtel . ca>
Indexed By Thread Previous: Re: SYS Floods - solution-2
From: peter @ baileynm . com (Peter da Silva)
Next: Re: SYS Floods - solution-2
From: Bernhard Schneck <Bernhard_Schneck @ GeNUA . DE>
Google
 
Search Internet Search www.greatcircle.com