DOS attacks - New filter rules

[Robert Dinse <nanook@eskimo.com>]

Subject: DOS attacks - New Filters which affect Ping
Newsgroups: lobby,announcements


     Because our site has been the target of a number of denial of service
attacks that have come in the form either of UDP or ICMP floods, I have
implemented new filter rules at the Sprint end of the T1 links to prevent
saturation of our links by net terrorists. 

     The vast majority of these attacks are directed at either our IRC servers
or Chat, the machine used to run bots, and so for some time we have had ICMP
and UDP filtered towards those machines upstream. 

     More recently, eskimo, tia1, and various dial-up PPP addresses have been
targeted. 

     About 99.99% of the time, these attacks occur when someone in IRC angers
someone else, or someone else wants to take over their channel, and so they
launch a denial of service attack against thier ISP in an effort to blow them
off the net. 

     The IRC servers are attacked because one method of taking over channels
involves splitting a server from the rest of the net.  And though with time
stamps its not terribly effective they still try it.  There are also jerks that
just get off on blowing 400 clients off a busy server or disrupting network
connectivity in general. 

     Chat is targeted because bots are run there and if someone wants to take
over a channel protected by a bot, a prerequesite is to get rid of the bot, so
they try to flood that machine off the net. 

     Eskimo is targeted because people run Unix IRC clients here, and because
it's an obvious target if you're just trying to saturate the links and blow
everyone on the ISP off the net. 

     Tia1 is targeted because people run irc clients on their own machines
connected via emulated SLIP or PPP.

     Dial-up IP addresses are targeted because people run irc clients or bots
via real PPP or SLIP. 

     Filtering IP is a bit of a double-edged sword, it is impossible to filter
all possible attacks and still provide any services because any service is a
possible target of an attack.  So there is a trade off between functionality
and security that must be made. 

     Since the majority of recent attacks are smurf attacks, which work by
sending ICMP echo request packets to the open broadcast address of a network
that has a lot of hosts, a lot of bandwidth and no meaningful security, with
the source address forged to be that of the target machine thus causing every
host on that network to send echo replies flooding the target, filtering ICMP
echo replies is the largest part of these filtering rules. 

     ICMP echo replies are now blocked to all of the irc, hub, chat, eskimo,
and tia1, as well as all of the dial-up address space.  This has the
unfortunate side effect of breaking ping.  I apologize for this but the
alternative is to have regular 15-20 minute (however long it takes us to get
Sprint to respond on the fly) outages when some twit in IRC gets his nose bent
out of joint or is just plain acting maliciously and launches a DOS attack. 

     UDP is also blocked to chat, irc, hub, and tia1, with holes cut through
for uping on hub and irc, and a hole for name service on tia1.  IRCD is a tcp
based service as are bots, and so is not necessary for irc or hub except for
uping and not necessary for chat.  These rules aren't new, but blocking udp to
tia1 is.  Since UDP services aren't supported by emulated SLIP/PPP this should
not affect functionality on that machine.  Anybody needing UDP over PPP should
request non-dedicated SLIP/PPP which does support this. 

     These filters as I've stated won't stop all possible attacks, but is
really difficult to be more thourough without really causing major
functionality problems. 

     If someone who knows Cisco filtering rules can show me how to make an
access list entry that would deny ICMP echo reply with packet sizes larger than
about 100 bytes, this would allow us to stop smurf attack (which use large
packets, usually about 1kb) without breaking ping.