OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: DoS
From: Fred Cohen (fcall.net)
Date: Wed Apr 26 2000 - 23:39:17 CDT

Per the message sent by Horst von Brand:
...
> Forget about saturating your link, or an upstream router, or whatever else
> is in the way. For the attacker it is just:
>
> send any random (even fixed!) junk
>
> For the defender it is at the very least:
>
> get packet
> compute hash function
> if (!in hash table)
> send "no dice" back

Think harder. For the defender it's:
        get first so many bytes of packet (no format checking please)
        lookup bytes in hash table
                (1.5 memory accesses on average - 256M RAM => 1M table entries)
        If in table, respond - otherwise ignore.

For attacker it's:
        Figure out where to send packets
        Figure out how to get them from here to there in large enough quantity to have effect
        Build packets and push them out
        Keep adapting to keep up with the defense

You can send all the packets you want to a part of the infrastructure we
no longer use because you tried to exploit it - and as we remove your
sites from the network and more and more people come to decide it's
worth catching you, you will find that your workload goes up and up and
up. You don't just need packet, you need the intelligence infrastructure to
know where to send them.

> Surely this is more code/work than the attacker has to do, so given equally
> powerful attacker and defender, you must loose. You won't service your
> (additional to the above!) legitimate clients. DoS. The fact that your

Wrong again. You are assuming that attacker and defender know the same
thing. This is a real bad assumption. you assume that by knowing what
a few of our clients know you know all there is to know - a real bad
assumption. Stop all these invalid assumptions.

...
> Today the web of FTP servers does (somewhat) work in this way. And there
> have been successful attacks at it (troyaned programs uploaded that then
> were distributed among servers, for example). DNS works in a similar way,

My ftp servers still worked.

> with replicas. It has also been taken out. True, these systems were not

My DNS server still worked.

> designed for withstanding a concerted attack. But the attacks weren't of
> the kind we are discussing here either. A widespread fear of troyaned
...

Yes - fear is a potent weapon - but we are again moving away from the
subject at hand. Technical over-the-Internet attack and defense
relating to denial of service.

...
> So you segregate "clients" (in the know) from "attackers" (in the dark).
> Then in fact you have a closed network which just happens to be build on
> top of the Internet. Not the kind of open service we are discussing here.

I can implement it for very open services, but denying services to
individual users is as easy as killing their browsers - trivial today.
So if you assertion is that you can deny individuals service if you are
willing to try hard enough, I agree. But the goal of most organizations
is not the survival of individuals but the whole.

...
> Sorry, but "thinking like the defender" has lead very many people to a
> sense of false security in the past. The only way to convince me that you

Sorry - but this was thinking like they thought a defender should think -
not like a defender should really think.

> have counters for each attack would be a (mathematical, strict) proof of
> impossibility of _all_ attacks. And such things are notoriously hard to get
> (and get right...), so I'd be quite sceptical if you show me one.

Thanks but no thanks. You are supporting the 'I can defeat any defense'
claim - it's your job to prove your case - not mine to disprove it.

...
> > Again - not thinking like a good defender. I can flex defensive
> > services faster than you can find them and generate packets.
>
> See? Here it goes again: You are in essence assuming infinite resoures for
> the _defender_. That case is trivial, as stated above. Not even with all
> the US Gov't resources your defender can withstand a concerted attack by
> all the rest of the world in practice, so this doesn't make sense either.

It's a finite set of resources - but not infinite knowledge to the
attackers. You are always assuming that the attacker knows everything
the defender knows. It's a bad assumption.

FC