Re: Internet SYN Flooding, spoofing attacks

To: "Charles E. Perkins" <charliep at iprg.nokia.com>
Subject: Re: Internet SYN Flooding, spoofing attacks
From: Daniel Senie <dts at senie.com>
Date: Mon, 14 Feb 2000 21:57:26 -0500
Cc: Robert Elz <kre at munnari.OZ.AU>, "Donald E. Eastlake 3rd" <dee3 at TORQUE.POTHOLE.COM>, IETF at ietf.org
Organization: Amaranth Networks Inc.
References: <15516.950526307@munnari.OZ.AU> <38A89295.F17D1153@iprg.nokia.com>

"Charles E. Perkins" wrote:
> 
> Robert Elz wrote:
> 
> >                                             There's no good purpose
> > in sending packets with incorrect source addresses I can think of, and
> > stopping the practice is the basic intent of the filters.
> 
> Mobile IP would like to send out packets with the mobile node's
> home address, while it is attached to a network in a foreign
> domain.  The home address is likely to look "incorrect" from
> the standpoint of such a filter.

Mobile IP took advantage of a convenient occurrence of the Internet as
it was, believing all routing would occur based on destination address
only. That is no longer a valid assumption. In response to this changing
world, the Mobile IP folks went back to the drawing board and created
RFC 2344. I suggest folks go implement it. Tunnels are the topologially
correct answer when you're trying to do something like Mobile IP.

Mobile IP also took advantage of directed broadcast in the original
designs, though it is less clear whether anyone actually implemented
using it. See the discussion on this topic in RFC 2644 for more details
on that.

> 
> Plus I don't think the gain is worth the pain.  I'd rather see
> a technology that actually solves the problem instead of swatting
> at gnats with a sledge hammer.

Routing based on source and destination address in combination is
already a possible approach for traffic shaping and firewalling
purposes.

> 
> What if routers could preferentially keep track of things like SYN
> packets and so on for a few seconds, and we had some traceback management
> software and security associations with our neighbors enough to do
> some automatic detection?

So, you'd prefer to have the routers on the Internet be stateful
devices? Somehow, I thought we really didn't want to go there. There are
known issues with some equipment which does fast switching based on
setting up "flows." A design that several folks have come up with relies
on a general purpose processor to program "flow" information into a
silicon-assisted fabric. Such implementations suffer greatly at the
hands of a DoS attack, where flows are coming in at extremely high rate.
State isn't necessarily the answer.

> 
> It might cost 2% more for the memory buffers, geez I don't know.

The memory cost isn't the issue. You're going to pay more for a lot of
ASICs to be doing that operation at wire speed. The work to do what you
suggest adds considerably more complexity than doing filtering at wire
speeds in ASICs (a capability which is available on products shipping
today).

-- 
-----------------------------------------------------------------
Daniel Senie                                        dts at senie.com
Amaranth Networks Inc.            http://www.amaranthnetworks.com

References:
- Re: Internet SYN Flooding, spoofing attacks
  - From: Robert Elz
- Re: Internet SYN Flooding, spoofing attacks
  - From: Charles E. Perkins

Prev by Date: Who is interested in wireless cards for the Adelaide IETF meeting?
Next by Date: Re: Internet SYN Flooding, spoofing attacks
Previous by thread: Re: Internet SYN Flooding, spoofing attacks
Next by thread: Re: Internet SYN Flooding, spoofing attacks
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Internet SYN Flooding, spoofing attacks

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.