Date: Sat, 7 Sep 1996 11:44:18 -0400 (EDT) From: Brian Tao <taob@io.org> To: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>, BUGTRAQ@NETSPACE.ORG Subject: Panix Attack: synflooding and source routing? Message-ID: <Pine.NEB.3.92.960907114113.240B-100000@zap.io.org>
next in thread | raw e-mail | index | archive | help
Wouldn't turning off source-routing on your border router
alleviate most of this problem? It won't help if you have someone
synflooding a port from within your network, but at least it would
prevent outside attacks. Or is this a "one-way" attack (i.e., a
return route to host is not needed)?
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
---------- Forwarded message ----------
>Return-Path: <Peter_Kelk@kelk.com>
>To: mcarr <mcarr@ican.net>
>From: Peter Kelk/Kelk <Peter_Kelk@kelk.com>
>Date: 7 Sep 96 9:19:38
>Subject: Important Warning
>X-Lotus-Type: Corresp
>
>Mike, I received this from my brother in law in New York City. Thought it
>might be useful for Ican.
>
>
> W E L C O M E T O P A N I X
>
>
>Panix under attack! (alexis) Sat Sep 7 01:43:27 1996
>
> Friday evening, starting at around 5:45, all of Panix's main mail
> hosts were attacked from a site somewhere on the internet. I have been
> trying to deal with this problem ever since, and the attack is still
> happening at this time.
>
> The attacker is forging random source addresses on his packets, so
> there is no way to find his/her location. There is also no way to screen
> out those packets with a simple router filter.
>
> This is probably the most deadly type of denial-of-service attack
> possible. There is no easy or quick way of dealing with it. If it continues
> into Saturday we will start working on kernel modifications to try to
> absorb the damage (since there's absolutely no way to avoid it). This
> however will not be an easy job and it could take days to get done (and
> get done right).
>
> For those who are IP hackers, the problem is that we're being flooded
> with SYNs from random IP addresses on our smtp ports. We are getting
> on average 150 packets per second (50 per host).
>
> We are not the only site being attacked in this way. I know of one
> other site that is being attacked in an identical manner right now,
> and I know of three others that have been attacked in the last two weeks.
> I hope that this means that the attacker is merely playing malicious
> games, and will soon tire of molesting our site. If that is the case,
> mail will come back up as soon as the attack ends. But if the attacker
> is really interested in damaging Panix specifically, the attack may
> *never* stop and service won't be restored until we can write kernel
> modifications.
>
> We fully understand how terrible this is. The really scary part is that
> *no* site on the net is immune. No site can unilaterally do *Anything*
> to protect or defend itself against this sort of attack. Only through
> cooperation between the major (and minor!) providers can this sort of
> problem be eliminated, and the large providers so far aren't showing
> any interest in the problem (we are a Sprint customer, and tonight when
> we asked for help tracing the packets back at least to their entry point
> in Sprint's net, Sprint basically told us to drop dead).
>
> In case anyone's wondering, I spoke to CERT (In particular, Jim Ellis)
> for over 90 minutes tonight. Yes, Panix and CERT have buried the hatchet.
> CERT agrees with us about the gravity of the situation. They also see
> no immediate solution to the problem.
>
> I'll try and post information about this to panix.announce, and deal with
> discussion in panix.upgrade (for want of a better place), but that
> won't happen immediately since I'm working on several things at once
> right now trying to deal with this problem.
>
>-rw-r--r-- 1 sondheim 2201 Sep 7 02:13 /net/u/6/s/sondheim/.plan
> 3:05am up 5 days, 10:36, 26 users, load average: 3.61, 2.83, 2.57
>User tty login@ idle JCPU PCPU what
>sondheim ttyp4 3:03am 1 1 w sondheim
>
>k:8> df
>Filesystem kbytes used avail capacity Mounted on
>/dev/sd0a 10007 6891 2116 77% /
>/dev/sd0g 111447 93571 6732 93% /usr
>/dev/sd0d 102919 30624 62004 33% /var
>/dev/sd0f 1268446 994176 147426 87% /net/u/9
>/dev/sd0h 1268446 1011007 130595 89% /net/u/10
>/dev/sd1d 937406 784194 59472 93% /net/u/18
>/dev/sd1e 937406 767067 76599 91% /net/u/19
>panix.nfs100.access.net:/net/local
> 834461 706933 44082 94% /net/local
>panix.nfs100.access.net:/net/u/1
> 2086894 1821103 57102 97% /net/u/1
>panix.nfs100.access.net:/net/u/2
> 2086894 1718086 160119 91% /net/u/2
>panix.nfs100.access.net:/net/u/3
> 1056788 899125 51985 95% /net/u/3
>panix2.nfs100.access.net:/net/u/4
> 1340910 1132383 74436 94% /net/u/4
>panix2.nfs100.access.net:/net/u/5
> 1245240 1077317 43399 96% /net/u/5
>panix.nfs100.access.net:/net/u/7
> 907494 772511 44234 95% /net/u/7
>panix.nfs100.access.net:/net/u/8
> 484607 365949 70198 84% /net/u/8
>panix.nfs100.access.net:/net/u/11
> 2042490 1488109 350132 81% /net/u/11
>panix2.nfs100.access.net:/net/u/13
> 1245240 1076936 43780 96% /net/u/13
>panix2.nfs100.access.net:/net/u/14
> 1245240 1052421 68295 94% /net/u/14
>panix2.nfs100.access.net:/net/u/15
> 1340910 1106245 100574 92% /net/u/15
>panix2.nfs100.access.net:/net/u/16
> 1340910 1113781 93038 92% /net/u/16
>panix2.nfs100.access.net:/net/u/17
> 953687 702839 155480 82% /net/u/17
>panix.nfs100.access.net:/net/archive
> 2042490 1488109 350132 81% /net/archive
>panix.nfs100.access.net:/var
> 236383 142836 69909 67% /hosts/panix/var
>news1.nfs100.access.net:/var
> 968836 480625 439769 52% /hosts/news1/var
>news1.nfs100.access.net:/var/spool/news
> 2097151 361292 1534669 19% /var/spool/news
>news1.nfs100.access.net:/var/spool/newsdb
> 968836 551768 368626 60% /var/spool/newsdb
>news1.nfs100.access.net:/net/hlocal/news
> 970732 331460 590735 36% /hosts/news1/news
>news1.nfs100.access.net:/var/spool/news2
> 2097151 730725 1164215 39% /var/spool/news2
>news2.panix.com:/e 628543 40141 525548 7% /hosts/news/e
>news2.panix.com:/f 1036526 25659 907215 3% /hosts/news/f
>web6.panix.com:/usr/local/net_public/httpd/htdocs
> 2097151 324571 1577218 17% /net/w/panixdocs
>web1.panix.com:/usr/local/net_public/httpd/htdocs/corp-dirs
> 2097151 375851 1553220 19% /net/w/1
>web6.panix.com:/usr/local/net_public/httpd/htdocs/userdirs
> 2097151 324571 1577218 17% /net/w/userdirs
>web1.panix.com:/usr/local/net_public/httpd/httpd-logs
> 380876 271361 90471 75% /net/httpd_logs/web1
>web6.panix.com:/usr/local/net_public/httpd/httpd-logs
> 2097151 324571 1577218 17% /net/httpd_logs/web6
>web1.panix.com:/usr/local/net_public/httpd/data
> 380876 271361 90471 75% /net/data/web1
>web6.panix.com:/usr/local/net_public/httpd/data
> 2097151 324571 1577218 17% /net/data/web6
>198.7.0.64:/usr/local/ftp/corp-dirs
> 380876 271361 90471 75% /net/ftp/1
>198.7.0.65:/var/ftp/corp-dirs
> 853494 25109 785710 3% /net/ftp/2
>198.7.0.66:/var/ftp/corp-dirs
> 844708 89718 712754 11% /net/ftp/3
>198.7.0.70:/usr/local/ftp/corp-dirs
> 842053 80814 719136 10% /net/ftp/7
>198.7.0.71:/var/ftp/corp-dirs
> 805037 5684 759101 1% /net/ftp/8
>panix4.nfs100.access.net:/holding
> 609094 401462 146723 73% /mnt
>/dev/sd0e 1271134 993586 150435 87% /net/u/6
>k:9>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960907114113.240B-100000>