[c-nsp] syn flood - port 80

Tantsura, Jeff jeff.tantsura at capgemini.com
Mon Aug 2 05:54:25 EDT 2004


Firewall has nothing to do with shunting.
Shunting means that there is an Inspection Device which is able to drop "bad traffic" and route back "good traffic"
To define a "bad traffic" anomaly analysis is usually done.

Jeff

-----Original Message-----
From: Brian Turnbow [mailto:b.turnbow at twt.it]
Sent: Monday, August 02, 2004 11:32 AM
To: Tantsura, Jeff; 'Roger'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] syn flood - port 80

a firewall that will block syn floods isn't that expensive and as far as setup goes with only one router it's not at all difficult. you can even set up policy routing and apply it to the interface when an attack occurs.
That way you can permit legit traffic and keep customers happy, at least until you run out of bandwidth.

Brian

-----Original Message-----
From: Tantsura, Jeff [mailto:jeff.tantsura at capgemini.com]
Sent: lunedì 2 agosto 2004 11.01
To: b.turnbow at twt.it; Roger; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] syn flood - port 80



With sinkhole you could protect your network by dropping close to the entrance to your network or by advertising community stamped /32 to your SP (if your SP supports that) but the service will be down.

Shunting, especially for a small company is :
1. difficult to implement
2. price of Arbor/Riverhead solution is high

Jeff

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Turnbow
Sent: Monday, August 02, 2004 9:37 AM
To: 'Roger'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] syn flood - port 80

why don't you try traffic shunting ?


http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-eof-fischbach
.pdf


Brian


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Roger
Sent: lunedì 2 agosto 2004 2.53
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] syn flood - port 80


Roger wrote:

> I'm wondering how one would slow down a syn flood attack on hosts @ > port 80?
>
> I'm running a 7206vxr at the border and would like to slow a syn flood > attack w/o clobbering my customers web servers...
>
> Traffic policing would be bad as to high of a percentage of syn > packets are junk, traffic shaping would help BUT all my customers web > servers would respond slower....
>

I should clarify things a bit...

The event I'm talking about is a distributed DoS attack.  The souces are from multiple ips(a few hundred) the strange thing is the destination ip..  The infected hosts are scanning my entire network range - in my case the entire /19.  Some hosts are live and active others ips are routed to Null as they aren't used...

Implementing CAR, IMHO, is out of the question.  In a syn flood CAR will drop packets once a bandwidth thresh hold is reached.  From their customer's http servers will appear to be down.  Since most traffic is junk the chances of legit http requests going through is low.

GTS would be better, BUT slow legit connections down to a crawl.  Also I have no real gauge to say how much bandwidth to allow for syn connections under normal conditions.

Making a "mega" acl w/ all the infected hosts seams kinda silly and long acls can just slow down all legit traffic, by bogging the cpu down and drawing lots of memory.

Out of desparation I'm thinking of doing this.. I'll be the first to say this is a BAD idea, suggestions welcome..

1 - Scan my internal network for legit http servers and make a list..

2- make a acl that will --
Explicitly allow syn packets to these legit web servers Deny all syn packets going to destine port 80

3- manage said traffic flow from there..

This is a quick and dirty solution I've come up with.  The acl listing legit http servers will be not to lenghy BUT customers putting up new web servers will be screwed...  They could call up and we'd allow syn packets to their ip but this is no suitable long term solution.

Any alternatives welcome.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Our name has changed.  Please update your address book to the following format: "recipient at capgemini.com".

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  message in error, please notify the sender immediately and delete all  copies of this message.


Our name has changed.  Please update your address book to the following format: "recipient at capgemini.com".

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  message in error, please notify the sender immediately and delete all  copies of this message.




More information about the cisco-nsp mailing list