is this something new?
Go Drex
Gang,
As you may know, we were the target of a new sort of attack very
early this morning. We were restored to operation after four hours
of complete outage when I characterized the attack and was able to
filter a large part of the nonsense. However, after 13 hours, well
into the day, the attack continues unabated.
We were initially driven off the Internet by a flood of SYN/ACK and
RST/ACK packets -- all having a source port of 179 and apparently
random destination ports. These flooding packets were apparently
(and confirmed) coming from the Internet's core routers! Our own
ISP's (Verio) routers were 'attacking' us, as were the routers of
other large ISPs, a few of the main DNS root servers, and many of the
web servers belonging to YAHOO.COM.
I placed 'attacking' in quotes above since all of these machines were
innocent bystanders in the attack. However, as detailed below, they
were utilized to swamp our bandwidth and force us off the Net.
Since we do not have any need for port 179 traffic -- which is the
Border Gateway Protocol (BGP) used for inter-router communications --
we were able to readily block that traffic at Verio's upstream
"aggregation" router.
But ... the second we did that, another whole class of additional
flooding attack (which had been unable to compete with the core
routers overwhelming BGP attack) showed itself for the first time. It
had been buried "beneath" the main thrust of the attack.
With the unneeded BGP protocol now blocked, we were getting SYN/ACK
and RST/ACK packet floods coming from ports 22 (SSH), 23 (TELNET), 53
(DNS) and 80 (HTTP) of hundreds of actual machines (including many at
YAHOO.COM and even one at NSA.GOV) spread across the Internet.
This second-tier of traffic was being sourced by well-connected but
similarly innocent servers.
-------------------------------------------------------------------
Here is what someone has done, and why it's rather clever ...
-------------------------------------------------------------------
Someone, or some group of people, have accumulated a large list of
well-connected server IP and corresponding TCP service ports out on
the Internet. Among these are several hundred well-connected routers
serving the BGP (port 179) protocol. This list also includes many
other servers listening to other common service ports including SSH,
TELNET, DNS, and HTTP.
Using raw sockets on an unknown platform (presumably UNIX) in order
to spoof the source IP and generate isolated SYN packets, SYN packets
are "sprayed" at each machine in their list and at that machine's
corresponding listening TCP service port. (BGP for the routers, HTTP
for YAHOO. etc.)
In each case, the spoofed source IP is the attack target. For this
attack it was the IP of the grc.com server ... thus crossing our
Internet connection and saturating our connection bandwidth.
The bandwidth of the "spray" is such that no one of these
"intermediary" target servers receives a "flooding-level" of SYN
packets. So each such server is never placed into DoS by the packet
originator, and no alarms are raised locally.
However, for every new SYN packet arriving at one of these servers,
that server, believing that a TCP connection is being requested and
initiated, replies to the apparent sender with a SYN/ACK packet.
That SYN/ACK packet is, of course, aimed at the APPARENT source of
the SYN ... in this case grc.com.
So ... grc.com is consequently subjected to a massive Distributed
Denial of Service (DDoS) attack from many hundreds of well-meaning
and innocent Internet servers. And none of those servers is being
inconvenienced by its role in this attack.
-------------------------------------------------------------------
Why is this rather clever?
-------------------------------------------------------------------
Unlike traditional DDoS attacks, where a high-bandwidth spoofed-SYN
flood can be traced back up the router chain towards its actual
bandwidth source (because it has a common although spoofed
destination IP), the use of a large number of intermediate TCP
servers prevents any single "stream" from having enough bandwidth to
sound any alarms. And all of these low-bandwidth streams are coming
from very different physically isolated servers.
Conceivably, only a very few malicious and well-connected SYN-
generating machines would be required to "spray" the SYN packets out
across a large number of intermediate servers. Each of these
malicious well-connected machines is generating packets at its
maximum speed, but since those packets are so widely distributed,
none of the intermediate recipient machines is unduly inconvenienced.
This also creates a more manageable architecture than the traditional
comparatively difficult to establish many-machine multi-tier DDoS
system.
And finally, there is a very good chance chance that the intermediate
machine will generate MULTIPLE SYN/ACK packets for every SYN packet
received. Since traditional TCP stacks will typically generate four
SYN/ACK packets in response to the receipt of an unanswered SYN
packet (believing that their responding SYN/ACK might have been lost
in transit) this system has a FACTOR FOUR bandwidth multiplying
effect. (If the receiving target system can get a "RST" packet back
to the originating server then further SYN/ACKs will be averted.
However, since many commercial enterprise-level firewalls simply drop
unsolicited SYN/ACK packets, the bandwidth multiplication effect
reins.
Therefore, the use of intermediate TCP servers has the effect of
quadrupling the original input bandwidth ... which they are
innocently aiming at the attack target.
Any site lacking extremely comprehensive and unusually tight upstream
filtering will probably be placed into a sustained Denial of Service
by the flood of SYN/ACK and RST/ACK traffic pouring into it from many
hundreds of well-connected public servers.
-------------------------------------------------------------------
One last note:
-------------------------------------------------------------------
This attack will NOT appear on the "radar screens" of the
organizations monitoring traditional spoofed source IP SYN floods and
other similar attacks. There will be no monitorable "backscatter"
from this attack since every IP used is for that of a valid machine.
For all of these reasons, this new style of attack creates a very
potent, highly effective, difficult to filter, stealth distributed
denial of service.
--
_________________________________________________________________
Steve Gibson, at work on: < inter-project loose ends>
i thought it was interesting...
Thierry
[Please aplly your "ignore grammar an typo error" filter to this post]
Typed in a hurry, and without caring to much as I can't stand Gibson.
> We were initially driven off the Internet by a flood of SYN/ACK and
> RST/ACK packets -- all having a source port of 179 and apparently
> random destination ports.
Read: fact.
> These flooding packets were apparently
> (and confirmed) coming from the Internet's core routers!
If confirmed, removing "the apparently" would have been a wise thing to
do.
Read : opinion.
> as were the routers of
> other large ISPs, a few of the main DNS root servers, and many of the
> web servers belonging to YAHOO.COM.
Ridiculous, the root dns servers attack him, oh my god, PERHAPS
*someone* spoofed packets to the DNS server which had the source IP as
grc.com's so the DNS server was ANSWERING him NOT attacking him.
> we were able to readily block that traffic at Verio's upstream
> "aggregation" router.
superb, replace "we" with verio.
> With the unneeded BGP protocol now blocked, we were getting SYN/ACK
> and RST/ACK packet floods coming from ports 22 (SSH), 23 (TELNET), 53
> (DNS) and 80 (HTTP) of hundreds of actual machines (including many at
> YAHOO.COM and even one at NSA.GOV) spread across the Internet.
Dude, you NEVER thought about these IP and hostnames are actually
spoofed. ROFLMAO, you write tons of useless pages about raw sockets but
when it's time to conceive that those packets may have been spoofed you
just flush it.
> This second-tier of traffic was being sourced by well-connected but
> similarly innocent servers.
So were the genuine requests to your site.
> Someone, or some group of people, have accumulated a large list of
> well-connected server IP and corresponding TCP service ports out on
> the Internet.
not very difficult.
> Among these are several hundred well-connected routers
> serving the BGP (port 179) protocol.
they nearly all do.
> This list also includes many
> other servers listening to other common service ports including SSH,
> TELNET, DNS, and HTTP.
> Using raw sockets on an unknown platform (presumably UNIX) in order
> to spoof the source IP and generate isolated SYN packets, SYN packets
> are "sprayed" at each machine in their list and at that machine's
> corresponding listening TCP service port. (BGP for the routers, HTTP
> for YAHOO. etc.)
This is not very clear. They could have simply spoofed the source
address *completely* and don't had to rely on
first contacting the server YAHOO or Whatever with a spoofed packet.....
> In each case, the spoofed source IP is the attack target. For this
> attack it was the IP of the grc.com server ... thus crossing our
> Internet connection and saturating our connection bandwidth.
Read: they send a tcp (in case of tcp) to yahoo, having the source as
GRC.com. Nothing new, done for years.
> The bandwidth of the "spray" is such that no one of these
> "intermediary" target servers receives a "flooding-level" of SYN
> packets. So each such server is never placed into DoS by the packet
> originator, and no alarms are raised locally.
Read : we are clueless schmucks.
If the attackers send a packet to yahoo to a port which was open (i.e
80), (with the source of grc.com etc) yahoo is more in trouble then if
they send it to an closed port as they would sit there waiting for an
answer to their SYN-ACK packet (yahoo's view), IF they send ti to a
closed port yahoo deosn't wait and sends an RST packet right away, which
is a very small packet and you need a tought amount of packets to get
somebody down with rst packets.
> However, for every new SYN packet arriving at one of these servers,
> that server, believing that a TCP connection is being requested and
> initiated, replies to the apparent sender with a SYN/ACK packet.
First he tells us yahoo has not been inconvenienced and then
goes on talking about an SYN attack TO yahoo.
IF yahoo replys with a SYN/ACK they have been conveninced by this
attack, because they are waiting for a reply (send to open port), if
they answer with an RST (send to closed pot) they are convenienced too,
but at a very lower term.
After I personaly explained the difference between a SYN attack to an
open port and a closed port to Gibson he still doesn't get it.
> That SYN/ACK packet is, of course, aimed at the APPARENT source of
> the SYN ... in this case grc.com.
SYN SYN SYN, you have any other word in your dictionary ?
> So ... grc.com is consequently subjected to a massive Distributed
> Denial of Service (DDoS) attack from many hundreds of well-meaning
> and innocent Internet servers. And none of those servers is being
> inconvenienced by its role in this attack.
LOL, you are not serious aren't you, if yahoo sends tons of SYN/ACK
packets towards you
they ARE convinienced.
> This also creates a more manageable architecture than the traditional
> comparatively difficult to establish many-machine multi-tier DDoS
> system.
Multi-tier DDoS, is like "whiter white". Makes no sense.
> Therefore, the use of intermediate TCP servers has the effect of
> quadrupling the original input bandwidth ... which they are
> innocently aiming at the attack target.
Oh yeah precise numbers, it's quadrupling folks, not tripling, no
quadrupling.
Read : Bull, opinion.
> This attack will NOT appear on the "radar screens" of the
> organizations monitoring traditional spoofed source IP SYN floods and
> other similar attacks.
Why? What does gibson know about yahoo's security measures. nada, niente
> For all of these reasons, this new style of attack creates a very
> potent, highly effective, difficult to filter, stealth distributed
> denial of service.
Yeah ! let's accumulate the trigger words, add another one to it come'on
Nothing new to this attack. Except it targeted Gibsons site. Duh.
the Pull
Saboteur
LOL, hasn't it always been gibsons site?
It seems as if he has to "entertain" his followers, until his
"super-secret-awsome-never-thought-of-before, project-X". Heh, can't
wait for that! ;)
And what about that "firewall breaker" that he was supposed to be
comming out with, can't remember, it's been years :)
Steves probably suffered this sort of attack before, loads of times,
but by using new repetitive words, he is able to keep his readers
occupied!!
SYN, GIMME SYN, I WANT SYYYYYNNNNNNNNN!!!!!!!!!!!
the Pull
SYN is just something we all have to live with.
Thierry
;)