1 / 10

Base on RFC 2827 Lector Kirill Motul

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. Base on RFC 2827 Lector Kirill Motul. Content. 1. Introduction 2. Background 3. Restricting forged traffic 4. Further capabilities for networking equipment. 5. Liabilities

yori
Download Presentation

Base on RFC 2827 Lector Kirill Motul

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul

  2. Content • 1. Introduction • 2. Background • 3. Restricting forged traffic • 4. Further capabilities for networking equipment. • 5. Liabilities • 6. Summary

  3. Introduction • What is DoS attack? • Last know DoS attack. • Why this method born? • What this method do? • What this method can’t do?

  4. Background internet host attacker router router 204.69.207.0/24 Tcp/syn SYN/ACK No route Source: 192.168.0.4/32 Tcp/syn SYN/ACK No route Source: 10.0.0.13/32 Tcp/syn Source: 172.16.0.2/32 SYN/ACK No route [etc…]

  5. Background What may be happen after previos slide? • Attacked system crash. • Attacker put the blame on another host. • Administrator of host mashine close enter for “sourcer” addreses.

  6. Backgound Methods of attack and sollution • TCP (SYN-ACK) Network Ingress Filtering ? • UDP (ECHO to another site) Systems administrators should NEVER allow UDP packets destined for system diagnostic ports from outside of their administrative domain to reach their systems • ICMP (broadcast) System administrators should consider ensuring that their border routers do not allow directed broadcast packets to be forwarded through their routers as a default. Universal sollution : modified software to allow the targeted servers to sustain attacks with very high connection attempt rates

  7. Restricting forged traffic Router 1 Router 2 ISP B ISP A 204.69.207.0/24 attacker ISP C ISP D Router 3 IF packet's source address from within 204.69.207.0/24 THEN forward as appropriate IF packet's source address is anything else THEN deny packet

  8. Further possible capabilities for networking equipment • Implementation of automatic filtering on remote access servers(The ONLY valid source IP address for packets originating from that PC is the one assigned by the ISP (whether statically or dynamically assigned)). • Routers validate the source IP address (methodology will not operate well in the real networks out there today).

  9. Liabilities and sollution Filtering of this nature has the potential to break some types of "special" services. • Mobile IP Home agent Internet Home agent Internet Tunneling Tunneling mobile mobile

  10. Summary • Ingress traffic filtering at the periphery of Internet connected networks will reduce the effectiveness of source address spoofing denial of service attacks • Network service providers and administrators have already begun implementing this type of filtering on periphery routers, and it is recommended that all service providers do so as soon as possible.

More Related