LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

TCP vulnerability: cancel red alert

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 11:05 UTC (Thu) by jbh (subscriber, #494)
Parent article: TCP vulnerability: cancel red alert

A protocol change seems overkill for a problem that should be rather simple to fix. Any of these would do:

- Make ISPs implement ingress filtering to kill off spoofed source addresses. This is good against all DoS attacks, and I really don't understand why there's not more pressure to do so. Pressure == refusal to peer with ISPs without filtering.

- More randomness in transient port selection. Would make this kind of guessing a few orders of magnitude harder, ie. not practical. I mean, this is hardly a new attack it just haven't been considered practical before.

- Specifically protecting BGP or other vulnerable protocols by either (1) ingress source filtering, (2) ingress TTL filtering (3) md5 signing of packets

Finally, to quote (from memory) davem: Anyone who suggests replying to an RST doesn't understand tcp.

(Log in to post comments)

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 13:16 UTC (Thu) by pflugstad (subscriber, #224) [Link]

- Make ISPs implement ingress filtering to kill off spoofed source addresses. This is good against all DoS attacks, and I really don't understand why there's not more pressure to do so. Pressure == refusal to peer with ISPs without filtering.

This doesn't work except at the very edge of the network. And it creates problems with multi-homed networks where traffic could be going out one connection and back in another. It can't be used on the core of anyones network at all, which is where this type of attack would be most effective. NANOG has had extensive discussions on this subject in the last few months - see their mailing lists. NANOG has also been discussing this problem for the last few days.

Also, with the large number of Zombie systems out there, spoofing IP addresses is not needed for DDoS attacks.

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 18:28 UTC (Thu) by jbh (subscriber, #494) [Link]

All true. Anti-spoof-filtering must be done at the edge. Very few ISPs currently do this, because there is no pressure for them to do so. There is no advantage in doing it. But if everybody did, everybody would be better off. Prisoner's dilemma. Needs "outside" pressure to get to best solution.

Regarding DoS though, while a DoS doesn't require spoofed source addresses, it does make it much much harder to stop.

ingress filtering to stop source address spoofing

Posted Apr 23, 2004 21:28 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

This doesn't work except at the very edge of the network.

Doing it at the edge would probably be sufficient.

In fact, I thought it already was already done there. Can an AOL or Earthlink or Road Runner home Internet user send packets with arbitrary source IP addresses into the Internet? Have we had Internet hacks recently using spoofed IP source addresses?

It doesn't have to be the very edge, does it? Just beyond the point where the Internet becomes a tree. I assume most of the Internet nodes are in that outer region.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds