Subject: Re: DOS attacks
To: Brook Milligan <brook@biology.nmsu.edu>
From: Miles Nordin <carton@Ivy.NET>
List: netbsd-advocacy
Date: 02/11/2000 21:23:28
I see this DoS publicity-scam as more relevantly highlighting a general
issue. Recently, my site was discovered as an open relay by an actual
spammer (rather than just the ORBS), and I had to shut down mail for over
four hours while installing Sendmail 8.9.3 from pkgsrc. Now I hear we
have 8.9.3 in the tree, which is great.
Security (or, rather, useability) on the Internet is increasingly a
communal affair. I think we should diversify our interpretation of
``security'' a bit for the purpose of advising otherwise selfish (how
secure is MY sight from those Dastardly Hackers) NetBSD users on how to
become good polite neighbors in the Internet community.
For example, rfc2644 (referenced in Declan's _Wired_ article) describes
several things sysadmins should be doing to avoid facilitating DoS
attacks on others, for example by acting as ``smurf amplifiers.''
http://sunsite.auc.dk/RFC/rfc/rfc2644.html
Do NetBSD routers forward directed broadcasts? Is this behaviour optional
and defaulted to ``off'' as required by rfc 2644? Note that the recent
attacks may not have been of this sort.
Likewise, rfc2267 (referenced from the above rfc) explains the relatively
simple idea of using IP Filter to prevent users on a network under your
control from meaningfully forging their source address--all ISP's ought to
do this, and it would be good of us to encourage ISP's using NetBSD for
routers, firewalls, or modem pool servers to do it.
We have mkfilters(1), but as is often the case it comes with exactly 22
words of documentation and no comments in the code. There is a little
more documentation in /usr/share/examples/ipf/firewall, but the connection
between this file and mkfilters is not exactly obvious.
Anyone have thoughts on running ipf out-of-the-box? My thoughts are that
the configuration of an actual router is manual enough as to make any
``automatic'' ipf rules useless. But this is debateable, as rc.conf makes
a pretty fair effort of being multi-interface-router--friendly. Does
anyone using NetBSD for actual routing care to comment on
ipf-out-of-the-box for the purpose of rfc2267 ``ingress filtering?''
On Thu, 10 Feb 2000, David Maxwell wrote:
> The attacks sound like brute force flooding, probably with forged source
> addresses. If you have a T1, and I send you 100 T1s worth of data, there's
> nothing your OS can do.
Right. What you really need is an ISP culture and an Internet backbone
that implements fair queueing at all stages. Fair queueing research is
basically ``done,'' but for all practical purposes it hasn't been
implemented outside the lab at all. Has Cisco even shipped anything more
modern than CBQ, or are they sticking to their usual tactic of waiting for
the Community to design, implement, test, prove, and market technology
before they steal it and sell it back to us?
Fair queueing, combined with source-address-forging filters (rfc2267) at
every ``ingress'' to the ``trusted backbone,'' would make the
effectiveness of an attack dependent on the ratio of subverted
attacking-computers to regular customers.
It's impossible to stop everyone from using insecure operating systeme
like Linux, Windows NT, and OpenBSD. But since it's impractical to
subvert nearly as many computers as Yahoo has customers, a scheme of this
sort would make it impossible for the NSA to bring down the big name sites
in an effort to ram through legislation that undermines the IETF.
Smaller and less newsworthy sites like my own would of course remain
vulnerable, but cest la vie. Preventing the fascist governments of large
war-like nations from undermining our standards organizations with illegal
politically-motivated terrorist attacks immediately following the IETF's
blunt refusal to accomodate wiretapping, is good enough for me.
NetBSD: We don't negotiate with terrorists.
--
Miles Nordin / v:+1 720 841-8308 fax:+1 530 579-8680
555 Bryant Street PMB 182 / Palo Alto, CA 94301-1700 / US