OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: DoS
From: Horst von Brand (vonbrandsleipnir.valparaiso.cl)
Date: Wed Apr 26 2000 - 21:12:10 CDT

Fred Cohen <fcall.net> said.
> Per the message sent by Horst von Brand:
> ...
> > The cost for the server is a table lookup in a huge table; the cost for the
> > attacker is nil (just send out some constant (or even changing), random
> > junk). The cost for the attacker is still much less than the cost for the
> > server; and the cost for the client is prohibitive.

> Good try - but you might read up on hashtables. It doesn;t matter that
> you can send random junk as long as I can chek at the rate of the
> available bandwidth - which I can do if I take the time and effort to
> design my defenses well.

Forget about saturating your link, or an upstream router, or whatever else
is in the way. For the attacker it is just:

  send any random (even fixed!) junk

For the defender it is at the very least:

   get packet
   compute hash function
   if (!in hash table)
      send "no dice" back

Surely this is more code/work than the attacker has to do, so given equally
powerful attacker and defender, you must loose. You won't service your
(additional to the above!) legitimate clients. DoS. The fact that your
server is scattered all over the place doesn't make a difference here, and
not even the "infinite power for the attacker" inherent in "impossible to
DoS" has to be used for this proof to go through. Sure, to take out
something like that is orders of magnitude harder than current servers, but
by no means impossible. OTOH, setting up something like that is also orders
of magnitude harder than setting up a traditional server, so I don't see
any clear win doing this, except for very specific applications, and having
(very many copies of) the full server at arm's length of any miscreant
flitting about isn't exactly the infrastructure that can be used for very
many services.

Today the web of FTP servers does (somewhat) work in this way. And there
have been successful attacks at it (troyaned programs uploaded that then
were distributed among servers, for example). DNS works in a similar way,
with replicas. It has also been taken out. True, these systems were not
designed for withstanding a concerted attack. But the attacks weren't of
the kind we are discussing here either. A widespread fear of troyaned
kernels on ftp.kernel.org would effectively take out the system without
even touching it. Something like that happened a few years back with a
virus scare in Argentina, IIRC: So many people were afraid of turning on
their computers a specific day that it caused noticeable trouble. A foe
taking over a few ftp.*.kernel.org sites (or taking over DNS for them, even
if the effect is localized to a few large ISPs for example) could undermine
the system quite effectively, even if it affects just a few sites.

> > > 2) You need to get the addresses of all those sites in order to atack
> > > them, and this is not trivial - it requires a feedback path and produces
> > > increased traceability and complexity in the attack.

> > Your clients have to do the same, so this will get lost in the noise.

> You misunderstand. My clients know the code and get more code as they
> use the service more and the service moves on.

So you segregate "clients" (in the know) from "attackers" (in the dark).
Then in fact you have a closed network which just happens to be build on
top of the Internet. Not the kind of open service we are discussing here.

> > Nobody says all the mapping has to be done form one address. In the
> > end, if you can set up this to provide a service, I can set up
> > something similar to counterattack. And the attack will need much less
> > coordination than the service, so I think you are at a disadvantage
> > anyway.

> It's just not right. You need to stop thinking exlusively like an
> attacker and start thinking a bit like a defender in order to realize
> that for all of your attacks, I have counters. Think about how to defend
> instead of throwing random possible attacks up.

Sorry, but "thinking like the defender" has lead very many people to a
sense of false security in the past. The only way to convince me that you
have counters for each attack would be a (mathematical, strict) proof of
impossibility of _all_ attacks. And such things are notoriously hard to get
(and get right...), so I'd be quite sceptical if you show me one.

Again, your server is _finite_. To show an DoS is impossible in principle,
you are allowing the attacker infinite resources. But given infinite
resources for the attacker, any given DoS is trivial. Scattering your
server all over the place doesn't help, the attacker can just let go at
everything in sight, whether it is part of your server or not. The case you
are considering is really the case of a closed network with finite
resources for the attacker. And there any DoS can be trivially made
impossible by throwing enough resources at the server (whatever it might
be).

[...]

> > It takes a much larger ammount of time to set up such a service, so you
> > have a DoS of "wait a couple of years until we are ready for you" ;-)

> Again - not thinking like a good defender. I can flex defensive
> services faster than you can find them and generate packets.

See? Here it goes again: You are in essence assuming infinite resoures for
the _defender_. That case is trivial, as stated above. Not even with all
the US Gov't resources your defender can withstand a concerted attack by
all the rest of the world in practice, so this doesn't make sense either.

> > > 4) If I can flex my infrastructure (which I can) faster than you can
> > > flex your attack capability (highly likely) then your attack will never
> > > succeed, but you will be very high profile and attract a lot of return
> > > fire.

> > You are assuming that the server can muster more resources than any
> > attacker. Might be true in some cases, not always true.

> You assume that the attacker can out-think and out-resource the
> defender. This is almost never true. Benny Hill - the famous British
> comic (now departed) coined this little quip...
>
> When you assume - you make an ASS of U and ME

Attackers today are mostly random vandals. Your infrastructure will survive
such, sure. See above for systems that have survived them for many years
even without any shred of design for concerted security, so this doesn't
say much. And it will probably also survive concerted attacks which aren't
of large enough scale.

And please, again: If you say that IN PRINCIPLE it is IMPOSSIBLE to DoS
your server, you can't then turn around and say that outwitting and/or
outresourcing your server is unfair. 

-- 
Horst von Brand                             vonbrandsleipnir.valparaiso.cl
Casilla 9G, Viņa del Mar, Chile                               +56 32 672616