再保险(建议):DDOS——分布式DoS(1候选人)

帕默说:>我考虑是否常见的入口点可以减少>“出口过滤尚未实现或被禁用,>允许欺骗IP数据包的发送”。顺便说一句,这将>防止诱饵的使用端口扫描,等等……这个单一的CVE条目>将是非常强大的。我应该想到这一点,但已经有一些候选人试图处理缺乏过滤。这些去年夏天提出了,但还没有被接受,因为它们配置问题,我们都需要咀嚼这些一会儿;-)请注意,没有CVE条目或IP欺骗候选人。然而,董事会并接受TCP序列号预测条目(cve - 1999 - 0077),和连续的端口分配(cve - 1999 - 0074),这两个允许欺骗。如果我们把DDOS过滤问题,那么可能会有一些交集与蓝精灵/ cve - 1999 - 0513 (ICMP广播)和Fraggle / cve - 1999 - 0514 (UDP广播),它被描述为缺乏过滤广播地址。如果你已经找到了一种新的方式来发送广播流量和拥有一切回到一些目标,然后我是蓝精灵的实例或者Fraggle。鉴于CVE内倾向于避免重叠,然后有什么根本不同的DDOS认股权证一个单独的条目吗?Trinoo-related问题的时候,我说是的,因为你没有处理任意交通广播地址,但指示命令具体地址。 >The weakness of this is that one could in theory still use DDoS tools >even if you have egress filtering -- only they will be one shot guns, >almost completely eliminating their appeal and effectiveness. One >use, and they will be blocked, tracked down and destroyed efficiently. Spoofing adds another level or two of complexity, but I think we are agreeing here that the underlying "vulnerability" doesn't go away completely, even if there is no spoofing and egress filtering is implemented properly. The damage can still be done. This suggests to me that there are at least two separate issues at play here - "spoofing" and "something else," where "something else" could be "lack of egress filtering and yet another thing." To round out the topic of filtering, I've attached the other candidates that were proposed last summer. They aren't pretty and they aren't complete, but they do suggest that there may be a "middle-of-the-road" approach to this thorny issue. - Steve ================================= Candidate: CAN-1999-0510 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall allows source routed packets from arbitrary hosts. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0510 MOREVOTES (2 accept, 0 ack, 0 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt MODIFY(1) Frech Comments: Frech> XF:source-routing ================================= Candidate: CAN-1999-0528 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0528 MOREVOTES (1 accept, 0 ack, 1 review) HAS_CDS Current Votes: ACCEPT(1) Northcutt REVIEWING(1) Frech Comments: Frech> possibly XF:nisd-dns-fwd-check ================================= Candidate: CAN-1999-0529 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0529 REJECT (1 reject, 0 accept, 1 review) HAS_CDS Current Votes: REJECT(1) Northcutt REVIEWING(1) Frech Comments: Northcutt> I have seen ISPs "assign" private addresses within their domain ================================= Candidate: CAN-1999-0588 Published: Final-Decision: Interim-Decision: Modified: Proposed: 19990726 Assigned: 19990607 Category: CF A filter in a router or firewall allows unusual fragmented packets. CONTENT-DECISIONS: CF-NETCONFIG INFERRED ACTION: CAN-1999-0588 REJECT (1 reject, 1 accept, 0 review) HAS_CDS Current Votes: MODIFY(1) Frech REJECT(1) Northcutt Comments: Northcutt> I want to vote to accept this one, but unusual is a shade broad. Frech> XF:nt-rras Frech> XF:cisco-fragmented-attacks Frech> XF:ip-frag