Re: Groklaw's "Bias" and the SCO DDoS Attack
From: Jeff Liebermann (jeffl_at_comix.santa-cruz.ca.us)
Date: 12/14/03
- Next message: Tony Lawrence: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Previous message: Jean-Pierre Radley: "Re: Problems adding second NIC"
- In reply to: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Next in thread: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Reply: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 14 Dec 2003 01:48:07 -0800
On Sat, 13 Dec 2003 14:35:00 GMT, bv@wjv.comREMOVE (Bill Vermillion)
wrote:
>And worst case if the ISP is not a top tier they often have smaller
>pipes and the attacks fill the pipes and cause all the other ISP
>customers to have problems.
There are three failure mechanisms.
1. Fill up the downstream pipe with junk packets.
2. Busy out the server delivering bogus web page requests.
3. Saturate the return path with bounces, timeouts, retries, and bogus
page requests, which usually results in additional resends and a
clogged downstream pipe.
>When doing trace-routes to find problems, I often see some machines
>mapped onto a private non-routeable network, eg 10.x.x.x. or
>192.168.x.x. So a DDoS would come into the local network.
Nope. I've seen lots of machines on the internet return non-routeable
IP addresses. When I dig deeper, I usually find a dual-homed ethernet
interface, where an ethernet port has two IP addresses. ICMP
traceroute sometimes delivers the wrong IP address. @Home used to do
this all the time. I don't recall exactly which OS's and versions
returned the wrong IP.
It's also possible to scribble a daemon that intercepts ICMP type 8(?)
requests, and rewrites the returned IP address. To the originator, it
looks like the packets are going through some rather odd machines.
One system I know about returns traceroutes that look like they're
connected via the FBI, CIA, or something similar.
>A trace to one of the SCO machines shows it's on a 10.x.x.x net.
>I'm of the opinion that certain machines should be outside the 'net
>so that IF they are compromised the attacker is still outside.
>But many seem to put up one firewall and put all their machines
>behind that.
>The concept of public <-> dmz <-> protected seems to be overlooked
>by many. You can put your web servers in the dmz and still not
>affect your local net.
Well, a dual firewall, with a DMZ full of public servers in between,
with sacrificial honey pot servers, and with an intrusion detection
system, will be far more secure than a single firewall. I suppose
such systems exist, but I've never seen one. My customers are too
small to afford it. The lack of such a system is not a sign of
incompetence.
>You can make your public face a sacrificial lamb too. One old SCO
>client when the moved to the dot.bomb environment had Suns on
>the public IPs to handle the first web requests - which then went
>to WebObjects servers in the dmz - which then queried the Oracle
>database in the protected network. I don't know why so many don't
>seem to follow this philosophy any more. And if they don't and have
>problems it's their own damn fault.
>
>These are my observations, but do you see any holes in those arguments.
No holes, just some comments.
1. The non-routeable IP's are usually a side effect of having two
IP's on a single ethernet interface.
2. Dual firewalls are a big improvement in security. SCO might be
able to afford and manage such a system. My customers can't.
3. I'm a big fan of 'single application servers' which largely follow
what you describe.
4. I don't think the DDoS attack is making it through the firewall.
My guess(tm) is that the LAN side performance hit is coming from some
necessary service (DNS, mail, local web pages), are resident on the
gateway. Moving them to a more protected machine will probably
eliminate the performance hit.
-- Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 (831)421-6491 pgr (831)336-2558 home http://www.LearnByDestroying.com AE6KS jeffl@comix.santa-cruz.ca.us jeffl@cruzio.com
- Next message: Tony Lawrence: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Previous message: Jean-Pierre Radley: "Re: Problems adding second NIC"
- In reply to: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Next in thread: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Reply: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
