Someone out on the internet has mounted a denial-of-service attack on
Panix, a relatively large ISP in the New York, USA, area. The
perpetrator of this attack pretty well brought Panix to its knees for a
period of almost two weeks because there was no easy way to determine
from where the attack had come.
The purpose of this document is to assist Internet Service Providers
and other organizations with Internet connections to configure their
networks to prevent denial-of-service attacks, such as the one used
against Panix, from being mounted from the ISP or organization.
Preventing such attacks from occuring makes your organization a better
network neighbor and may prevent one's organization from being
embarassed by being the unwilling conduit for such nefarious behavior
by an employee or customer.
Technical details of the attack:
The attack is to send TCP SYN packets (connection requests) to various
TCP ports on servers at a rate of approximately 20 per second. The TCP
on the servers can only accept so many connections at one time so
legitimate users can not get a connection to the server(s). In order
to hide his identity the attacker uses a random IP source address for
each connection request making it very difficult to trace back the
source of the attack. (It is possible to eventually trace the source
of the attack but it requires tremendous effort and the cooperation of
all the networks along the way between the source and destination of
the attack.)
An attack of 20 connection requests per second only requires about 900
bytes per second making it possible that the attack is coming from a
source with a link as slow as 9600 bps, i.e. it could be coming from a
dial-up connection.
Since many of the dial-up Internet connections in the world pass
through Livingston PortMasters(tm), we thought that we would assist by
showing PortMaster owners how to use the features of the
PortMaster to prevent spoofing-type denial-of-service attacks from
originating behind a PortMaster.
The full technical details of the attack are available in greater
detail in CERT(sm) Advisory CA-96.21.
A Solution:
The attack depends on the ability to "spoof" the source address thus
making the attack appear as if it were coming from all over the
Internet and not from where the hacker actually connects to the
Internet. This effectively hides the attacker by making him appear to
be everywhere at once. The "cure" is to implement anti-spoofing
filters where people connect into the network so that they cannot
inject packets with bogus source addresses. A hacker is less likely to
mount this sort of attack if he may be readily traced as the source of
the attack.
Many organizations install anti-spoofing filters at the edge of their
network where it connects to the rest of the Internet. These filters
prevent packets with obviously bogus source addresses, such as the
organization's own network number, from reaching the rest of the
organization's network. (You are filtering for bogus addresses, aren't
you?) Most organizations don't think of also adding a measure of
protection for the rest of the Internet by also filtering packets
outbound from the organization's network to ensure that all outbound
packets have valid source addresses.
Setting up filters where the users dial in:
The easiest place to provide protection is as close to the perpetrator
as possible. In the case of a hacker using a dial-up connection, this
means where he dials into the Internet at an ISP.
In order to make construction of filters easy, it is important to make
assigned addresses fall on a bit boundary in the IP address. For
instance, if an ISP is using the PortMaster PM-2e-30, the assigned
addresses should fall on a 27 bit subnet boundary, thus creating a block of 30
addresses. For example, if seven PM-2e-30's are splitting the 192.168.1 subnet
up to use it as assigned pools, their assigned base addresses would be
192.168.1.33, 192.168.1.65, 192.168.1.97, 192.168.1.129, 192.168.1.161,
192.168.1.193 and 192.168.1.225. The rest of this example shows the setup for
the first PortMaster, the others are similar.
Now log into your PortMaster(s) and add the filter using the following
set of commands. Be sure to use the proper base address for each
PortMaster's set of assigned addresses.
add filter dial.in
set filter dial.in 1 permit 192.168.1.32/27 0.0.0.0/0
set filter dial.in 2 deny log
save all
Then add the following reply-item to all your RADIUS users with
assigned addresses.
Framed-Filter-Id = "dial"
Here is a sample RADIUS user entry for a PPP user with an assigned address.
brian Password = "UNIX"
User-Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-Address = 255.255.255.254,
Framed-Filter-Id = "dial"
Setting up filters at the gateway to the NSP:
Another method is to set up anti-spoofing filters outbound from the
ISP where it connects to the Network Service Provider (NSP). Its
simpler to implement because the filter is added only at the gateway
router, but has the drawbacks that it does not prevent spoofing within
the ISP itself, and does not identify the source of the spoofed
packets.
Let's assume that an ISP has a T1 to its NSP and that it has been
assigned a pair of class C networks for its operation. It can protect
the Internet with a single filter outbound on their router. If the two
networks come from a superblock (meaning the two networks may be
subsumed under a single subnet mask of /23) then the outbound filter
would look like this, assuming 192.168.2.0 and 192.168.3.0 and an IRX-211 with
the T1 connection on S1:
add filter nospoof.out
set filter nospoof.out 1 permit 192.168.2.0/23 0.0.0.0/0
set filter nospoof.out 2 deny log
set s1 ofilter nospoof.out
save all
reset s1
If the ISP has multiple disjoint class C networks, with no supernet common to
the network numbers, the filter would look like this instead:
add filter nospoof.out
set filter nospoof.out 1 permit 192.168.2.0/24 0.0.0.0/0
set filter nospoof.out 2 permit 192.168.7.0/24 0.0.0.0/0
set filter nospoof.out 3 permit 192.168.100.0/24 0.0.0.0/0
set filter nospoof.out 4 deny log
set s1 ofilter nospoof.out
save all
reset s1
Further documentation on Livingston packet filtering is available in
the "Filters" chapter of the Configuration Guide for PortMaster
Products and in our Firewall Application Note,
ftp://ftp.livingston.com/pub/le/doc/firewall/firewall-1.1.ps