|
|
|
|
|
Trends, Descriptions, and How to Protect Your
Network |
|
|
|
Craig A. Huegen <chuegen@cisco.com> |
|
Cisco Systems, Inc. |
|
|
|
NANOG 13 -- Dearborn, MI -- June 9, 1998 |
|
|
|
|
|
|
|
|
|
Significant increase in network-based
Denial-of-Service attacks over the last year |
|
Attackers’ growing accessibility to networks |
|
Growing number of organizations connected to
networks |
|
Vulnerability |
|
Most networks have not implemented spoof
prevention filters |
|
Very little protection currently implemented
against attacks |
|
|
|
|
|
|
|
Tools of the Trade |
|
Anonymity |
|
Internet Relay Chat |
|
Cracked super-user account on enterprise network |
|
Super-user account on university residence hall
network |
|
“Throw-away” PPP dial-up accounts |
|
Typical Victims |
|
IRC Users, Operators, and Servers |
|
Providers who eliminate troublesome users’
accounts |
|
|
|
|
|
|
|
Prevent another user from using network
connection |
|
“Smurf” and “Fraggle” attacks, “pepsi” (UDP
floods), ping floods |
|
Disable a host or service |
|
“Land”, “Teardrop”, “NewTear”, “Bonk”, “Boink”,
SYN flooding, “Ping of death” |
|
Traffic monitoring |
|
Sniffing |
|
|
|
|
|
Very dangerous attacks |
|
Network-based, fills access pipes |
|
Uses ICMP echo/reply (smurf) or UDP echo
(fraggle) packets with broadcast networks to multiply traffic |
|
Requires the ability to send spoofed packets |
|
Abuses “bounce-sites” to attack victims |
|
Traffic multiplied by a factor of 50 to 200 |
|
Low-bandwidth source can kill high-bandwidth
connections |
|
Similar traffic content to ping, UDP flooding
but more dangerous due to traffic multiplication |
|
|
|
|
|
|
|
|
How to prevent your network from being the
source of the attack: |
|
Apply filters to each customer network |
|
Apply filters to your upstreams |
|
This removes the possibility of your network
being used as an attack source for many attacks which rely on anonymity
(source spoof) |
|
|
|
|
|
|
|
|
|
|
|
How to prevent being a “bounce site” in a
“Smurf” or “Fraggle” attack: |
|
Turn off directed broadcasts to networks: |
|
Cisco:
Interface command “no ip directed-broadcast” |
|
As of 12.0, this is default (CSCdj31162) |
|
Proteon:
IP protocol configuration “disable directed-broadcast” |
|
Bay Networks:
Set a false static ARP address for bcast address |
|
3Com:
SETDefault -IP CONTrol = NoFwdSubnetBcast |
|
Use access control lists (if necessary) to
prevent ICMP echo requests from entering your network |
|
Configure host machines to not reply to
broadcast ICMP echos |
|
|
|
|
|
|
|
Unicast RPF checking & CEF |
|
Inter-provider Cooperation |
|
Network Operations Centers should publish proper
procedures for getting filters put in place and tracing started |
|
IOPS working group |
|
|
|
|
|
Detailed “Smurf” and “Fraggle” information |
|
http://www.quadrunner.com/~chuegen/smurf/ |
|
Ingress filtering |
|
RFC 2276 |
|
Other DoS attacks |
|
See expanded presentation at
http://www.quadrunner.com/~chuegen/smurf/980513_dos |
|
|
|
|
|
Craig Huegen |
|
<chuegen@cisco.com> |
|
|
|
Questions? |
|