Eskimo North


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Strange DoS attacks




     Lately, our main web server has been taken down frequently by a strange
DoS attack, usually quickly enough that I don't get a chance to really look at
what is happening before it dies.  However, tonight, I was fortunate to get
some data before the machine crashed.

     These attacks seem to be originating exclusively out of China at the
moment. IP's are assigned to different providers and different regions but it
always seems to be China.

     The attack is similiar in nature to the old smurf attacks where an ICMP
echo request packet is sent to the broadcast address causing every machine that
response to ICMP on the broadcast (something that according to the RFC's
shouldn't happen but more IP stacks will do it than not, in Linux it is
configurable) sending an ICMP echo reply.  A similar attack known as fraggle
uses a UDP echo request to teh broadcast.

     I have my router configured not to forward broadcast destination packets,
and I thought that should have prevented this sort of thing; however after some
investigation tonight, it turns out that my router only considers all 1's to be
broadcast, so it allows packets with all 0's in the host portion of the IP to
get through.

     The Linux 2.2.x kernel however, does response to all 0's as if it was a
broadcast.  However, ignore broadcast for echo replies is also an option that I
have configured in the kernel, but it seems by sending an invalid type, that
can be gotten around, allowing our machines to be used to in a "smurf" like
attack (only modified in that it uses the all zero's not all one's and an
invalid ICMP type).

     The reason this crashes the machine is that because the interface listens
to multiple IP addresses (several hundred), it generates several hundred times
as much traffic as it receives, and can do so at a rate faster than can be
transmitted over the 100-base-T interface causing it to exhaust all memory and
die when a kmalloc() fails and returns a NULL pointer which is then handled
with a can not dereference NULL pointer panic.

     The short term immediate, what I hope really fixes it, fix that I applied
is to explicitly NULL route the all zero's, so the all zero's host IP which the
router isn't blocking isn't routed to the machines.

     In the longer term, I'm working on an upgrade to Aurora Linux so that we
can have a modern distribution, libs, kernel, and all, and hopefully the TCP/IP
stack on the 2.6 kernel is less susceptible to abuse of this sort.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
 Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
   Knowledgable human assistance, not telephone trees or script readers.
 See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.