[VOIPSEC] SYNCookie fallacies as an Anti-DDoS protection for VoIP

Satyam Tyagi styagi at sipera.com
Fri Jul 7 15:14:19 CDT 2006 

>TCP is also not widely used in VoIP networks as far as I know. Very
>rare.

Quoting again from my previous e-mail 
"The same technique can be applied to any other three way handshake
protocol."

>True to some extent. Since the topic was DDoS you obviously
>underestimate the probabilities. How long do you think it would
>take someone to re-script and re-send sequences that match.

It is not possible if attacker is spoofing addresses as the packets
don't come back to him. If attacker has 100,000 zombies incontrol then
it is a different case.

>Evened on the odds on what, resource requirements? I can send (from
>my laptop) about 15,000 packets per second from one machine.
>Imagine a 100,000 strong botnet. I can't think of any single
>machine that can even this out. Session Border Controller? Doubt it.

Can you setup full call setups at 15000 calls per second, or is it just
INVITES.
Or put it another way is it 15000 SYNs per second or 15000 full TCP
setups.

You'll see a vast difference ...

>When I'm done with my program I would love to test it against your
>product.

Please share your attack tool we would like to try it too :-).

Thanks,
Satyam

-----Original Message-----
From: J. Oquendo [mailto:joquendo at hushmail.com] 
Sent: Friday, July 07, 2006 12:28 PM
To: styagi at sipera.com
Cc: dhiraj.2.bhuyan at bt.com; voipsec at voipsa.org
Subject: RE: SYNCookie fallacies as an Anti-DDoS protection for VoIP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 07 Jul 2006 12:29:23 -0400 Satyam Tyagi <styagi at sipera.com>
wrote:

>Reply you completely misunderstood, Syn Cookie is for TCP.

TCP is also not widely used in VoIP networks as far as I know. Very
rare.
>down the
>attacker, increases resource requirements on the attacker and
>comes down
>to who has more horsepower. (We've evened out the odds)

Evened on the odds on what, resource requirements? I can send (from
my laptop) about 15,000 packets per second from one machine.
Imagine a 100,000 strong botnet. I can't think of any single
machine that can even this out. Session Border Controller? Doubt it.

>Also unless the attacker is directly sitting next to the server,
>to
>sniff responses he has to be sitting in the path of the spoofed
>address
>s/he initially used.

True to some extent. Since the topic was DDoS you obviously
underestimate the probabilities. How long do you think it would
take someone to re-script and re-send sequences that match.

>This is exactly the kind of attack I was talking about not the SYN
>flood
>when referring to our product.

When I'm done with my program I would love to test it against your
product. I still don't see where you would expect to deter my kind
of attack. Network level would be impossible against a botnet with
a combined connection going over DS3 speeds. Resource wise...
Information I am using is ranDumbly generated so you won't be able
to zero in on anything to filter it out. Even if you could
information going through to the server would be a mixture of bogus
data and real data so even if you did try to do some crafty
filtering good luck. Check out what Richard Bejtlich said of one
program I wrote a long time ago...

http://archives.neohapsis.com/archives/incidents/2000-08/0242.html

Bubonic was a drop in the hole compared to what I'm working on.
Anyhow, right now I'm running my test Asterisk server on a Sunfire
280r with gigabit ethernet. I've been taking it down with a lowly
laptop over wireless so I can only imagine if I set up a dozen
machines plugged in with 100mb or better pipelines. Good luck
finding something you can throw at this if it does work.


perl -e 'print $i=pack(c5,(40*2),sqrt(7600),(unpack(c,Q)-3+1+3+3-
7),oct(104),10,oct(101));'
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkSumb4ACgkQVnroYexO+HKIMAP/YrkX1VswZKtX/FIFG7yXctnFL85j
KJpPvElJcMjBjJrEZzljgEwpGfQaBsh0PPWRRa8lOMbp4D2tp04iSPlIyaK09zLFDgjQ
JxVX9R7zijxxo+aP8QuljvyPHnfAISKk4mksmhh4cHb3T6fxhg1pfLVE+cnQvUHkskFt
H9MHQdI=
=9hcb
-----END PGP SIGNATURE-----




Concerned about your privacy? Instantly send FREE secure email, no
account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

More information about the Voipsec mailing list