[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: J'accuse!: Whitehouse and NSA vs. Panix and VTW



John Bashinski wrote:

| > Well IPSec provides for authentication of endpoints which would
| > identify the syn attacker.
| 
| Only if the attacker were so stupid as to put in valid authentication
| data identifying herself. 
| 
| I think IPSEC would allow you to throw away the SYNs without processing
| them and without putting anything in your incoming connection queue. On the
| other hand, you'd have to do all the authentication protocol and
| computation for each packet in order to determine that it was bogus. I can
| see where that could lead to a still worse denial-of-service attack if your
| IPSEC code wasn't properly written.

	This is not correct.  IPsec requires key negotiation, which
takes place as or after a connection starts.  (Photuris has a system
where a new connection requires a cookie be traded before any
expensive works gets done.  It does not avoid all work.)

	Peter DaSilva, in a posting to firewalls, suggested that
routers turn on record route on packets with SYN set.  My initial
reaction, that the core doesn't have the CPU, and the leafs will never
deploy, turns out to be wrong; the big providers can make it a
condition of connecting to them that this be done, and the problem of
non-existant return addresses substantially diminishes as soon as
cisco releases the software.  The core routers don't change, since
they are busy; the leafs do, since they need to connect to the core.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume