From owner-freebsd-security  Wed Sep 19 13:49:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id 500B237B415
	for <security@FreeBSD.ORG>; Wed, 19 Sep 2001 13:49:31 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id OAA14578;
	Wed, 19 Sep 2001 14:49:13 -0600 (MDT)
Message-Id: <4.3.2.7.2.20010919143740.059c5be0@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 19 Sep 2001 14:46:29 -0600
To: Rob Simmons <rsimmons@wlcg.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: Defense against "Code Rainbow"
Cc: <security@FreeBSD.ORG>
In-Reply-To: <20010919135456.M62587-100000@mail.wlcg.com>
References: <4.3.2.7.2.20010919112438.0598b8b0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 12:01 PM 9/19/2001, Rob Simmons wrote:

>This poses the same problem as allowing snort, or snort-like NIDS systems
>access to your firewall rules.  It opens a new window for DOS attacks.
>If some nefarious person figured out that you are doing such a thing, they
>could spoof attacks from many addresses and cripple the server.

It'd be tough. They'd have to get past the 3-way handshake and submit
an HTTP GET request.It's easy to spoof UDP, or a single SYN, but not
a fully established socket.

>A much better approach is something like hogwash, which will only block
>the attack itself, allowing all normal traffic to pass.
>
>http://hogwash.sourceforge.net/

Trouble is, by the time you get to the telltale packet, you've invested
the overhead of opening a socket and firing up a process to receive
the HTTP request. The idea behind firewalling is to eliminate that
overhead.

Sheldon Hearn, in private e-mail, mentioned that an attack from behind
a transparent proxy or NAT router could cause us to drop all requests
from the entire site. If we firewall the IP address for all destination
port numbers, then this is indeed a concern. But if we block Port 80,
the most innocent users will lose is access to a Web server. This is
usually a reasonable tradeoff.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message