Date: Wed, 19 Sep 2001 14:46:29 -0600 From: Brett Glass <brett@lariat.org> To: Rob Simmons <rsimmons@wlcg.com> Cc: <security@FreeBSD.ORG> Subject: Re: Defense against "Code Rainbow" Message-ID: <4.3.2.7.2.20010919143740.059c5be0@localhost> In-Reply-To: <20010919135456.M62587-100000@mail.wlcg.com> References: <4.3.2.7.2.20010919112438.0598b8b0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:01 PM 9/19/2001, Rob Simmons wrote: >This poses the same problem as allowing snort, or snort-like NIDS systems >access to your firewall rules. It opens a new window for DOS attacks. >If some nefarious person figured out that you are doing such a thing, they >could spoof attacks from many addresses and cripple the server. It'd be tough. They'd have to get past the 3-way handshake and submit an HTTP GET request.It's easy to spoof UDP, or a single SYN, but not a fully established socket. >A much better approach is something like hogwash, which will only block >the attack itself, allowing all normal traffic to pass. > >http://hogwash.sourceforge.net/ Trouble is, by the time you get to the telltale packet, you've invested the overhead of opening a socket and firing up a process to receive the HTTP request. The idea behind firewalling is to eliminate that overhead. Sheldon Hearn, in private e-mail, mentioned that an attack from behind a transparent proxy or NAT router could cause us to drop all requests from the entire site. If we firewall the IP address for all destination port numbers, then this is indeed a concern. But if we block Port 80, the most innocent users will lose is access to a Web server. This is usually a reasonable tradeoff. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010919143740.059c5be0>