Kent,
Dear NANOG/IEPG Folks;
As you should know by now from reading the papers, Panix, the first ISP in
NYC, has come under a new denial of service attack. The Wall Street Journal
quoted Bill Cheswick to the effect that the attack is "unstoppable". Almost,
but not quite, true.
... XXX ...
Can you explain why you just don't block the IP address of the sender
from your gateway routers. Is the sender using different IP source
addresses in the IP packet? Does the attacker change IP source
addresses? Does the attacker attack the same ports? Use random
source addresses?
This does not seem like a rocket science firewall firewall project,
based on what I have read. Please explain what make this attack
'rocket science' to stop.
Show me the topology, the router configurations of the gateways,
and the format of the denial-of-service attack packets and I'll
be surprised if I can't devise a scheme to stop it, even if
the attacker changes source addresses frequently (and I'm
happy to do it).
Thanks and Regards,
Tim
==>Show me the topology, the router configurations of the gateways,
==>and the format of the denial-of-service attack packets and I'll
==>be surprised if I can't devise a scheme to stop it, even if
==>the attacker changes source addresses frequently (and I'm
==>happy to do it).
Okay, here you go... come up with a plan.
I have a machine, X. It is directly off FastEthernet 1/1 of my 7513, Y.
My net connection is a T1, off Serial0/0 of Y, to my provider's router, Z.
X is 172.30.15.5/28, Y's Fast1/1 is 172.30.15.1/28, Y's Serial0/0 is
192.168.1.2/30, and Z's serial interface to me is 192.168.1.1/30.
Configuration is standard, only access list on my router is an outbound
access-list filtering my source addresses to make sure only
packets with sources of 172.30.0.0/16 get out. It's applied in this
fashion:
access-list 115 permit ip 172.30.0.0 0.0.255.255 any
access-list 115 deny ip any any log
interface Serial0/0
ip access-group 115 out
The SYN flood coming towards my host X looks like this, at approximately
2,000 PPS:
182.58.239.2.1526 -> 172.30.15.5.80 TCP SYN
19.23.212.4.10294 -> 172.30.15.5.80 TCP SYN
93.29.233.68.4355 -> 172.30.15.5.80 TCP SYN
[... on and on ...]
Tell me how to filter this.
/cah
The only thing that comes close to the concept of "filtering" is to build
a SYN proxy that replies with SYN-ACK and hangs onto SYN packets until the
ACK is received from the net before actually letting the packets through
to your server. This may require sequence number munging on every packet
but that's generally the kind of thing proxies do.
Of course, such a proxy does not yet exist except possibly as somebody's
home-built box based on some stripped down BSD-ish UNIX kernel with
various modifications. But assuming that you can build a box with enough
horsepower to handle 100baseTx/FDDI/whatever in and
100baseTx/FDDI/whatever out, then this is in the realm of possibility.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael@memra.com