[MUD-Dev] DDoS

J C Lawrence claw at kanga.nu
Sun Apr 16 17:25:52 CEST 2000 

On Wed, 12 Apr 2000 19:09:09 +0200 
olag  <Ola> wrote:

> Some IRC maintainers are talking about dropping the service
> because of denial of service attacks (DoS), the equivalent of
> link-spamming.  

There are MANY forms of DoS attacks, from SYN floods to packet
storms to smurf attacks and so forth.  Further the definition of
what constitutes a DoS attack is entirely dependent on the intended
_effect_ of the attack, or in the realised _effect_ (which may not
have been deliberate).  

  At one time I thought I was receiving standard port saturation DoS
attacks because I hadn't thought to limit the number of inbound
connections.  There was no iniquitous intent on the other end -- he
was just sending all the pending traffic he had spread across 50+
connections, and thus 50+ sendmail and 50+ sub-process forks, and
50+ (and you get the idea -- a fork bombed machine).  What he did
was quite acceptable, just not very workable when the receiving end
was a lowly i486-33 with 8Meg RAM, so I put throttles in on MY end
to end _perceived_ DoS attack, and everybody was happy.  Later I got
real attempted DoS attackes via SYN floods on the SMTP port (same
intended effect as above) but I had other controls in place and so
didn't get burnt.

A DoS attack can be something, possibly innocuous, which has the
effect of being creating a Denial of Service for you, or it can be
something done with the intent of creating a Denial of Service for
you (effective or not).  The generality you make about DoS attacks
is so broad as to be meaningless.  Its like saying that IRC
maintainers are talking about dropping the service because of net
'lag.  Way too vague.

Further, competent SysAdms can secure their systems against most DoS
attacks.  Some are difficult to secure against.  Some, to be
properly defended against require specific filtering rules to be put
on the router immediately upstream of you (eg some versions of
broadcast storms, certain packet floods etc) as defending against
them is not a question of defending an individual system, but of
defending your network.  

You best defense is a combo of router rules to filter known attacks
and all funky looking packets or packets directed to services you
don't have open, kernel config settings (Linux comes well supplied
in this area), static defenses (eg TCP Wrappers in PARANOID mode),
and active defenses (eg Psionic's PortSentry/HostSentry which adapt
your security stance in realtime to perceived security threats).

  Realise that DoS attacks are only ONE variety of security threat
  among many.  The below discusses only one side of setting up a
  secure system.

You don't get this setup in a couple minutes.  Getting the router
stuff right takes someone who knows IOS (for Ciscos) well (I don't)
and who a thorough understanding of what's needed and has thought
about it for some time (there are tricky corner cases).  Your ISP
should have someone who can do this.  If not, change ISPs.  NOW.
Sooner than now if possible.  You should be able to get the fellow
on the phone/email and tell him, "I'd like some rules on the router
to filter all odd looking packets, obvious DoS attacks, or packets
to services I don't have running (be prepared to give him a list of
your open ports) -- can you do that for me?" and get a "Yes!"
followed by a series of probing questions on exactly what you need
and want (have your homework done, but also be prepared to have him
educate you (he is in a service industry after all)).

Good ISPs, when they install your server, will often offer this
service as part of the deal, or will explicitly ask you how you want
it setup without asking whether you want it first.

On the system config side, this can get messy, but mostly as a
matter of details and making correct choices.  The kernel options
(for Linux) are well documented.  Solaris, HP-UX and IRIX & Co have
their own docs.  All require some careful reading and interpretation
to get right.  I don't know about Windows.  Its a care and education
problem.

Oddly, I've found the easiest (for me) part was the adaptive defense
area (I copped out and went and stuck with Psionic's stuff).  I know 
others who have and continue to spend thousands of man hours on this 
sector alone.  YMMV.  

The IRC protocol is inherently insecure.  Channel raids, takeovers,
etc are an integral possibility within the protocol (ie the protocol
very nearly explicitly allows them).  Its little wonder that scores
of robots exist with no other purpose than to help secure channels
and prevent various things being done to them -- or that there are
scores of other scripts and occassionally robots whose purpose is to
take over channels etc despite the first robots.

That, with a paired mass infusion of both untrained IRC server
admins (who don't know how to secure their systems) and
ScriptKiddies wannabes in recent years has made for rather a mess.

> There is also something called a distributed DoS (DDoS), which
> means that the attack comes from more than one source, maybe
> thousands of sources. Thus blocking the attack is difficult.

This is one of the points where the adaptive defenses I mentioned
before are coming in.  Given recent events and news stories, this is
an area of some research.

--
J C Lawrence                                 Home: claw at kanga.nu
----------(*)                              Other: coder at kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--


_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
http://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list