[VANILLA-L:705] "forging" source addresses

To: vanilla-l@us.netrek.org
Subject: [VANILLA-L:705] "forging" source addresses
From: Bob Tanner <tanner@real-time.com>
Date: Sun, 9 Nov 1997 16:40:59 -0600
Reply-To: vanilla-l@us.netrek.org
Sender: owner-vanilla-l

Forgive me a topic not directly related to the server developement but
I am getting desperate.

Recently Real Time has come a victim of a fairly nasty denial of
service attack (DoS). It's a programmed called SMURF and it attack
your bandwidth (T1's).

More or less anyone with some serious bandwidth can send ICMP packets
at a network device at such quantities that your bandwidth gets
totally used. From me what happens is my T1s run at 100% utilization
and nothing can come in OR go out of the T1s.

In the past I have have put an access list into the ciso to prevent
these packets from flooding my network. The access list was based on
the source address of the packet(s). 

This does not work anymore. The new SMURF can somehow change the
source address of every packet AND it can change the protocol on every
packet. So, my only resort has been to put a filter into the cisco
that prevents ALL traffic going to the device being attacked. This is
not a very good solution especially when they attack the mail server
or our file server.

In particular the netrek server is a target. I have a feeling it is
some twink that was banned and this is his pay back.

So, here is my questions to you guru programmers.

How does one change the source addresses of a packet? I want to know
so I understand the attack better and thus try to formulate a solution
to prevent this attack.

>From my knowledge of TCP/IP clients that use Berkeley sockets the local 
part of the socket is set when connect() is called. But I have been
unable to figure out how to change the source address of the packet.

Can anyone think of a way to trace where they attacks are going from?
Without the source address I am really at a lose.

Finally is there any way to prevent this sort of attack. A
random source address, random procotol and hitting random ports all
makes for a difficult firewall.

Thanks.



-- 
Bob Tanner <tanner@real-time.com>       | Phone : 612.943.8700
http://www.real-time.com                | Fax   : 612.943.8300
Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9 
+
++ Vanilla-l Mailing List ++
To unsubscribe: send "unsubscribe vanilla-l" to majordomo@real-time.com
For more information: http://archives.real-time.com

Follow-Ups:

[VANILLA-L:706] Re: [VANILLA-L:705] "forging" source addresses

From: James Cameron <cameron@stl.dec.com>

Prev by Date: [VANILLA-L:706] Re: [VANILLA-L:705] "forging" source addresses
Next by Date: [VANILLA-L:704] Re: [VANILLA-L:702] Re: [VANILLA-L:700] Re: Server code in CVS?
Prev by thread: [VANILLA-L:704] Re: [VANILLA-L:702] Re: [VANILLA-L:700] Re: Server code in CVS?
Next by thread: [VANILLA-L:706] Re: [VANILLA-L:705] "forging" source addresses
Index(es):
- Main
- Thread