New Denial of Service Attack on Panix

Mailman List Mirror (Read Only)
1

The SYN flood coming towards my host X looks like this, at approximately
2,000 PPS:

182.58.239.2.1526 -> 172.30.15.5.80 TCP SYN
19.23.212.4.10294 -> 172.30.15.5.80 TCP SYN
93.29.233.68.4355 -> 172.30.15.5.80 TCP SYN
[... on and on ...]

Tell me how to filter this.

I don't think you can, there's no pattern. You could rotate your server
address using a very short DNS TTL, though the attacker can follow the
changes using DNS so this isn't all that useful even if it would be fun.

The filtering has to be done at the leaf that's sending you this. If a
provider knows they have only delegated address space PREFIX/LEN to some
downstream provider, then they can put a source address filter on all
traffic coming up the link such that if the source isn't in the delegated
block, the packet is dropped.

There are three reasons why this isn't practical either:

  (1) the number of such leaf points is very, very high;

  (2) the intelligence required to do the filtering is somewhat rare;

  (3) complete and correct coverage is the only way to stop this.

Therefore we are focusing on a more reactive strategy, which is to find a
way to trace these back to the source, and then effect countermeasures.
The leaf provider who's allowing these in probably does not know they are
being used in this way, and they are probably not within the sound of my
voice.

If Cisco routers had TCPDUMP capability this would be a lot simpler. If
all the routers in the universe had TCPDUMP, and all the router operators
had eachother's phone numbers, we could track this to the source in less
than five minutes. Alas, the misfit teenagers of the underworld have
caught us without any of the tools we need be able to track this down.

Damned clever. Now I guess we'll all switch to X.25 after all. We were
so close, too. Rats.

2

==>If Cisco routers had TCPDUMP capability this would be a lot simpler. If
==>all the routers in the universe had TCPDUMP, and all the router operators
==>had eachother's phone numbers, we could track this to the source in less
==>than five minutes. Alas, the misfit teenagers of the underworld have
==>caught us without any of the tools we need be able to track this down.

cisco routers do have tcpdump capability.

lab-2503#debug ip packet detail ?
  <1-199> Access list
  <cr>

You can show all IP packets flowing through the router (with source
address/port/interface, dest address/port/interface, flags, sequence
number, and window size; or limit it based on an access-list (which you'd
want to do in case of a very busy router). Based on the source interface,
you'd trace it to the next link, and go back from there.

The debug output looks like this:

IP: s=172.30.119.242 (Ethernet0), d=204.245.15.11 (BRI0), g=172.30.112.129, len 60, forward
    TCP src=1059, dst=80, seq=74416335, ack=0, win=8192 SYN

Translation:

A packet sourced from 172.30.19.242 which came in on ethernet0, had a
destination of 204.245.15.11. The route-table lookup says our next hop is
not directly connected (hence the g=172.30.12.129), and sent it out to
172.30.12.129 via interface BRI0. It was a TCP packet with source port of
1059, destination port of 80, sequence number of 74416335, wasn't ACKing
any packet, had a window size of 8192 bytes, and had the SYN flag on.

This helps tremendously in tracking down bogus packets (as long as the
hacker keeps the attack up long enough for you to determine the edge of
the network/the next provider in the attack).

/cah