OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: DoS
From: Horst von Brand (vonbrandinf.utfsm.cl)
Date: Thu Apr 27 2000 - 11:33:22 CDT

Fred Cohen <fcall.net> said:
> Per the message sent by Horst von Brand:
> ...
> > Forget about saturating your link, or an upstream router, or whatever else
> > is in the way. For the attacker it is just:

> > send any random (even fixed!) junk

> > For the defender it is at the very least:

> > get packet
> > compute hash function
> > if (!in hash table)
> > send "no dice" back

> Think harder. For the defender it's:
> get first so many bytes of packet (no format checking please)
> lookup bytes in hash table
> (1.5 memory accesses on average - 256M RAM => 1M table entries)
> If in table, respond - otherwise ignore.

OK.

> For attacker it's:
> Figure out where to send packets

Got that beforehand, your server can't go hopping from IP to IP at random
anyway, as clients have to be able to find it.

> Figure out how to get them from here to there in large enough quantity
> to have effect

No need. Just get out as much as you can.

> Build packets and push them out

OK.

> Keep adapting to keep up with the defense

Out of the loop anyway, it doesn't affect the attacker's inner loop in the
least.

Your defense sounds quite a bit like voluntary DoS to me: Clients won't be
able to find your server easily, and once they have found it it will just
go away and pop up elsewhere.

> You can send all the packets you want to a part of the infrastructure we
> no longer use because you tried to exploit it - and as we remove your
> sites from the network and more and more people come to decide it's worth
> catching you, you will find that your workload goes up and up and up.
> You don't just need packet, you need the intelligence infrastructure to
> know where to send them.

You are assuming you have control over the network so you can shut the
attacker out. Not a reasonable assumption to make, the Internet is growing
crosslinks which are increasingly beyond the control of any single
entity. A 10.000 site attacker 1 hour per attacker site taken out (this
is _extremely_ generous, as anybody who has tried to convince a remote
cluebie administrator of anything can tell you. BTW, they also increasingly
don't understand English at all...) is 1 year just for cleanup. After you
caught the perpetrator and put him in jail, that is; if not the attacker
will get new sites at the same rate.

The intelligence to find the parts of your server has to be public,
otherwise your clients can't find it. I.e., it is worthless for thwarting
an attacker.

The problem is that the same techniques you propose to use for the defense
work almost equally well for the attacker. And, as I said before, the
attacker needs much less coordination than your server, so you start with a
sizeable handicap AFAIKS (more infrastructure to attack, more internal
trafic that can be monitored, ...). Sure, as long as you assume that your
resources are an order of magnitude larger, you can get away with it. Not
everybody enjoys such a position... and that case is trivial anyway.

> > Surely this is more code/work than the attacker has to do, so given
> > equally powerful attacker and defender, you must loose. You won't
> > service your (additional to the above!) legitimate clients. DoS. The
> > fact that your

> Wrong again. You are assuming that attacker and defender know the same
> thing. This is a real bad assumption. you assume that by knowing what a
> few of our clients know you know all there is to know - a real bad
> assumption. Stop all these invalid assumptions.

If I know what your few clients know, I can at least DoS them, can't I?

> ...
> > Today the web of FTP servers does (somewhat) work in this way. And there
> > have been successful attacks at it (troyaned programs uploaded that then
> > were distributed among servers, for example). DNS works in a similar way,

> My ftp servers still worked.

And distributed garbage.

> > with replicas. It has also been taken out. True, these systems were not

> My DNS server still worked.

And gave wrong answers.

> > designed for withstanding a concerted attack. But the attacks weren't of
> > the kind we are discussing here either. A widespread fear of troyaned
> ...

> Yes - fear is a potent weapon - but we are again moving away from the
> subject at hand. Technical over-the-Internet attack and defense
> relating to denial of service.

What I was getting at is that a _technical_ solution to a _people_ problem
is essentially impossible. I still laugh at a cartoon from the heigth of
the StarWars (SDI) debate, which showed a few "delivery modes" not covered
by SDI. Amnong them a woman with a bomb in her luggage...

> ...
> > So you segregate "clients" (in the know) from "attackers" (in the dark).
> > Then in fact you have a closed network which just happens to be build on
> > top of the Internet. Not the kind of open service we are discussing here.

> I can implement it for very open services, but denying services to
> individual users is as easy as killing their browsers - trivial today.

Finding out that you should deny service is authentification. Can be
saturated ==> DoS

> So if you assertion is that you can deny individuals service if you are
> willing to try hard enough, I agree. But the goal of most organizations
> is not the survival of individuals but the whole.

If I can shut individuals out by trying hard enough, I can shut off all
individuals I want by trying harder. They don't get service, and the
attacker got away with it.

> ...
> > Sorry, but "thinking like the defender" has lead very many people to a
> > sense of false security in the past. The only way to convince me that you

> Sorry - but this was thinking like they thought a defender should think -
> not like a defender should really think.

???

> > have counters for each attack would be a (mathematical, strict) proof of
> > impossibility of _all_ attacks. And such things are notoriously hard to get
> > (and get right...), so I'd be quite sceptical if you show me one.

> Thanks but no thanks. You are supporting the 'I can defeat any defense'
> claim - it's your job to prove your case - not mine to disprove it.

Easy: Give me enough resources, tell me exactly what point of your defense
I shall breach. Done, as I have the resources to do so (kindly provided by
you).

> ...
> > > Again - not thinking like a good defender. I can flex defensive
> > > services faster than you can find them and generate packets.

> > See? Here it goes again: You are in essence assuming infinite resoures for
> > the _defender_. That case is trivial, as stated above. Not even with all
> > the US Gov't resources your defender can withstand a concerted attack by
> > all the rest of the world in practice, so this doesn't make sense either.

> It's a finite set of resources - but not infinite knowledge to the
> attackers. You are always assuming that the attacker knows everything
> the defender knows. It's a bad assumption.

Mot necesary if I can assume the attacker has infinite resources. Just
shoot everything in sight, no need to find out if it is a foe or a
passerby. 

-- 
Dr. Horst H. von Brand                       mailto:vonbrandinf.utfsm.cl
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513