[VOIPSEC] SYNCookie fallacies as an Anti-DDoS protection for VoIP

J. Oquendo joquendo at hushmail.com
Fri Jul 7 12:28:30 CDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 07 Jul 2006 12:29:23 -0400 Satyam Tyagi <styagi at sipera.com>
wrote:

>Reply you completely misunderstood, Syn Cookie is for TCP.

TCP is also not widely used in VoIP networks as far as I know. Very
rare.
>down the
>attacker, increases resource requirements on the attacker and
>comes down
>to who has more horsepower. (We've evened out the odds)

Evened on the odds on what, resource requirements? I can send (from
my laptop) about 15,000 packets per second from one machine.
Imagine a 100,000 strong botnet. I can't think of any single
machine that can even this out. Session Border Controller? Doubt it.

>Also unless the attacker is directly sitting next to the server,
>to
>sniff responses he has to be sitting in the path of the spoofed
>address
>s/he initially used.

True to some extent. Since the topic was DDoS you obviously
underestimate the probabilities. How long do you think it would
take someone to re-script and re-send sequences that match.

>This is exactly the kind of attack I was talking about not the SYN
>flood
>when referring to our product.

When I'm done with my program I would love to test it against your
product. I still don't see where you would expect to deter my kind
of attack. Network level would be impossible against a botnet with
a combined connection going over DS3 speeds. Resource wise...
Information I am using is ranDumbly generated so you won't be able
to zero in on anything to filter it out. Even if you could
information going through to the server would be a mixture of bogus
data and real data so even if you did try to do some crafty
filtering good luck. Check out what Richard Bejtlich said of one
program I wrote a long time ago...

http://archives.neohapsis.com/archives/incidents/2000-08/0242.html

Bubonic was a drop in the hole compared to what I'm working on.
Anyhow, right now I'm running my test Asterisk server on a Sunfire
280r with gigabit ethernet. I've been taking it down with a lowly
laptop over wireless so I can only imagine if I set up a dozen
machines plugged in with 100mb or better pipelines. Good luck
finding something you can throw at this if it does work.


perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-
7),oct(104),10,oct(101));'
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkSumb4ACgkQVnroYexO+HKIMAP/YrkX1VswZKtX/FIFG7yXctnFL85j
KJpPvElJcMjBjJrEZzljgEwpGfQaBsh0PPWRRa8lOMbp4D2tp04iSPlIyaK09zLFDgjQ
JxVX9R7zijxxo+aP8QuljvyPHnfAISKk4mksmhh4cHb3T6fxhg1pfLVE+cnQvUHkskFt
H9MHQdI=
=9hcb
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

More information about the Voipsec mailing list