Re: Tracking down spoofing SYN flood attackers?

[David Pick <d.m.pick () qmul ac uk>]

> For what we believe has been a few days (we finally tracked
> it all down this morning, have been having weirdness for a
> while due to our firewall being flooded with TCP connects),
> someone has been sending tons of port 23 packets to one of
> our servers in Scotland, with a source address of wrist.org
> (216.111.239.187). 
>
> We're trying to have the ISP block the packets upstream, and
> I also got in contact with a wrist.org admin via their DNS
> contact info.
>
> The attack is being spoofed; it's not actually coming from
> wrist.org. They don't even have a machine at this address
> which is capable of sending out telnet (TCP/23) packets.
> He said I was one of dozens of people who have called.
>
> Someone doesn't like wrist.org.
>
> As for us, its not a huge deal. We'll likely be able to have
> the ISP cut off the traffic before it hits our firewall. But
> this poor guy is getting hammered, and I don't know how he's
> ever going to find out who's doing it, or make it stop.
>
> My question is how would one go about tracking this down and
> stopping it?

The only way *I* know is to track the offending traffic backwards
from router to router. This is tedious work and can (usually)
only be done by the manager(s) of the routers involved. There
is the problem of getting the network managers in each ISP and
transit provider to do the work *and release the results*. It
can be easier if the requests come from a Law Enforcement Agency
but someone has to get one of *them* take the issue seriously
enough to act; and then you get cross-border problems (more than
when ISP is talking to ISP). A concerted action/complaint from
*all* the people affected (wrist.org *plus* echo of the attacked
sites who have contacted wrist.org) may stand a better chance
of getting action either from a LEA or directly from the ISPs.

This is a frequent problem; each incident is rarely big enough
on its own to provoke serious effort but the cumulative effect
is non-trivial. Many "Mom-and-Pop" "ISP"s don't have the
expertise to do the necessary work. However, the work could be
considerably reduced if the major high-level switching centres
were able to do "spot checks" and identify traffic that was
coming from the "wrong" *reverse* path according to the BGP
AS data that they have to have as part of the Internet backbone.
(Even better if they would just block it anyway; even better if
edge IDPs didn't allw it onto the Internet in the first place!)
I know that traffic can be routed asymmetrically, and that it is
necessary to allow for rerouting in failure modes, but I'm sure
it *could* be done if there was enough will to tackle the problem.
After all, RPF is an essential part of multicast handling...

-- 
        David Pick

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards