Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 22 Dec 2000 00:26:11 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 22 Dec 2000 00:26:01 -0500 Received: from alcove.wittsend.com ([130.205.0.20]:36874 "EHLO alcove.wittsend.com") by vger.kernel.org with ESMTP id ; Fri, 22 Dec 2000 00:25:47 -0500 Date: Thu, 21 Dec 2000 23:55:02 -0500 From: "Michael H. Warfield" To: Mike OConnor Cc: Kernel Mailing List Subject: Re: No more DoS Message-ID: <20001221235502.C18964@alcove.wittsend.com> Mail-Followup-To: Mike OConnor , Kernel Mailing List In-Reply-To: <977453684.3a42c2744fbb7@ppro.pineview.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.2i In-Reply-To: <977453684.3a42c2744fbb7@ppro.pineview.net>; from kernel@pineview.net on Fri, Dec 22, 2000 at 01:24:44PM +1100 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 22, 2000 at 01:24:44PM +1100, Mike OConnor wrote: > Hi > I would like to point who ever is in charge of the TCP stack for the linux > kernel at a site which claims to have a method of eliminate denial of service > (DoS) attacks > http://grc.com/r&d/nomoredos.htm > With my limited unstanding of TCP and DoS attacks this would seem to be the > answer, instead of a work around. Obviously written by someone with no real world experience with DoS attacks. He seems to think that the majority of DoS attacks are SYN floods and disregards all the rest by saying this will eliminate DoS attacks. In fact, SYN floods have been largely ineffective for some time now and comprise a very small percentage of attacks now. From all appearances, his approach would have no effect on attacks like NAPTHA which try to take advantage of more advanced states in the TCP state machine. He actually should take a look at the "Cookie Crumbs" attacks against ISAKMP/IKE (IPSec) which suffer from the same first packet saved state problem. Those guys haven't solved that problem and that's even a security protocol! Maybe he could be some help there (or learn something). We probably see more incidents of TIES bombing (sending packets with "\r+++ATH0\r" in payloads) to hang up modems than we see SYN flooding lately (IMHO). I recently helped and ISP that was virtually shut down by someone TIES bombing them with ping packets containing the TIES hangup sequence. Once we got THEIR modems fixed, the TIES bombs were hanging up their customers modem's (the ICMP Echo Reply) and we had to design a TIES Bomb packet that would reset the vulnerable customer modems to a safe S register value... Grrr... Quite frankly... My favorite DoS attack is NISNuke (which I researched and documented). His approach would have exactly zero effect in mitigating an NISNuke attack and I can take out and entire network with it (all you need is NIS and finger on the same large network). So he can NOT claim to eliminate DoS attacks since I have a small arsenal of them which would be untouched by his approach. While some DDoS (Distributed Denial of Service) attacks do incorporate SYN flooding, their most profound effect is in the bulk attack areas such as Smurf flooding (ICMP echo to broadcast addresses while spoofing the return address as the targeted party) and UDP data overloads. Those have other solutions (such as router filters which prevent spoofing) which we can't even get implimented, much less a tcp stack state machine redesign! He's got a solution (and an ineffective one at that) that's really in search of a problem. It's highly unlikely that it would even make a miniscule dent in the DoS problem. That's even assuming that it would work (which others such as Dave Miller have stated that it wouldn't). He gets a "nice try" but in the long run it boils down to the expression in the IETF... You vote with working code. Let's see the code in operation and see how it works and stands up. If it works and it more robust in the face of ongoing attacks, all hail! Kudos for all around. If not, then don't tell us how it should be. Demonstrate with working code. I didn't seen ANYTHING on that site but a description of how he thought it should work. Vote with working code... > Cheers > Mike OConnor Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/