|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Proposal for mitigating DoS attacks
Alex.Bligh writes: > A discussion on Route Filtering > =============================== > > This proposal does not invalidate the concept > of route filtering. In fact it is vital that > the same level of filtering is applied to > Victim Routes as to the superblock in which > they reside; elsewise they could themselves > be used by irresponsible people as a Denial > of Service attack. The same technology that > currently ensures ISP's do not lose connectivity > to their customers by accepting similar routes > from their peers can be used to filter acceptance > of Victim Routes. This is certainly an interesting proposal. However, I have a concern related to the excerpt above. Considering smurf-like attacks, the involved parties typically include: 1. Attacker's upstream(s). 2. Amplifiers. 3. Victim's upstream(s). 4. Victim. Given the "distributed" nature of the attack, parties #1 and #2 tend to see only marginal increases in traffic. Party #3 may see a moderate to heavy increase, but if they maintain sufficient headroom on their network, it may not be enough to matter (or even be noticed). By far the most dramatic difference is seen by party #4, the victim himself. Your proposal, assuming it could be consistently and properly implemented, might certainly improve the situation for parties #3 and #4. However, it may open other, previously uninvolved parties to a new form of attack: if I as an attacker can find a way to generate thousands of these "victim" routes, I can affect a very potent DoS against core routers all over the Internet. Do the benefits to parties #3 and #4 outweigh the newly-created risk that affects everyone? For example, what happens when there is a breakdown in route filtering and someone manages to slip in a few hundred victim routes that just so happen to match the IPs in use at the major exchange points? ;-) The more I think about it, the more problems I see. Smurf attacks are possible because thousands of people can't disable directed broadcasts on their routers. This entire approach relies on many of those same people to perform adequate route filtering to avoid far worse consequences. :-( --Jeff
|