[asterisk-dev] OT: Where Mailing List Replies Should Go

Mon Oct 9 08:34:36 MST 2006

Jay R. Ashworth wrote:
> On Mon, Oct 09, 2006 at 08:40:54AM -0400, J. Oquendo wrote:
>   
>> Jay R. Ashworth wrote:
>>     
>>> You're familiar with randy bush's paper suggesting that BGP flap
>>> dampening was a bad idea?  (I wasn't either, but I ran across it the
>>> other day, and it seemed pertinent to mention it here:
>>>
>>>       
> I did not, no; that was reasonably clear from the phrasing I chose.  Or
> so I thought.  It doesn't justify the tone of your response here,
> though, IMHO.
>
> I was *trying* to be helpful.  I won't make that mistake again.
>
> Cheers,
> -- jra
>   

The initial problem with route flapping/dampening is it can be DoS'd 
causing a flurry of issues. I initially started a DoS using a 
flapping/dampening attack but left it alone after a proof of concept 
that started in 1999 on some stupid ideas of how flapping/dampening 
wasn't such a great idea. The RFC information along with the "standards" 
that run BGP introduce an array of issues someone could use to start a 
flapping war. Imagine this:

RouterA (United States) --> RouterB (Europe)
Attacker on RouterA's network sends out bogus ICMP information (say ICMP 
source quenches at a phenomenal rate) ... RouterB does what it is 
supposed to do, times it out. Attacker using a botnet continues 
attacking RouterB as RouterA. The neighbor state would be in such a 
state of "WTF" is happening it will continuously ignore the adjacency 
between the two routers breaking anything they were passing to one another.

The initial paper was a stupid concept which actually happened to break 
Zebra (now known as Quagga). I released a Proof of Concept tool then 
left the idea alone since I thought if it did work on a grand scale it 
would be such a moronic tool to make public. Why my post me sound harsh, 
I inferred yours to be a poke to the extent of "so what who cares" so my 
sincerest apologies for misjudging. I enjoy learning from others no 
matter what it is and I was only offering insight using 
flapping/dampening as an example. It would not be a bad idea though to 
have some form or limit built in somewhere down the line:

[SIPUSER/IAXUSER/WHATEVER]
processes = 10

Where any given user would not be able to abuse a system. The stupid 
program I made is created to generate ranDumb numbers (SIP extensions), 
so in this instance if say extension 100 generated anything over 10 
requests, replies, acknowledgments, invites, byes, cancels, etc., it 
would be given a "bad boy shame on you" time out. For this instance 
(attack tool I made) it would suffice to an extent opening channels. I 
managed to open up 50 channels in less than a minute remotely with one 
program alone mind you there are now 13 tools in the suite.

http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0618.html
http://archive.cert.uni-stuttgart.de/archive/vuln-dev/2003/08/msg00039.html

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.digium.com/pipermail/asterisk-dev/attachments/20061009/41361be6/smime-0001.bin