North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Proposal for mitigating DoS attacks

  • From: Aaron Hopkins
  • Date: Mon Jul 12 18:24:01 1999 
-----BEGIN PGP SIGNED MESSAGE-----

> Thus an oft-used response to an attack is to block traffic either to, or
> from, particular IP addresses. In the case of attacks involving forged
> source IP addresses, or reflected attacks such as SMURF, the only way to
> easilly block these attacks to prevent collateral damage, is to prevent
> all traffic from reaching the IP address concerned (filtering) until the
> attack has ceased (either as a consequence of a parallel act of tracing,
> or otherwise).

While I like the idea of your proposal, I see it as not working because it
trusts information generated by the attacker that is not necessarily
relevant to the success of the attack.

As I am familiar with it, the smurf is generally successful not by flooding
the target hosts LAN, but rather its upstream network connection. 
Infrastructure to take that one host off of the net quickly isn't going to
help if its network thats being attacked.  If this proposal becomes widely
accepted, it will only succeed in getting someone to modify the exploit to
allow the attacker to input a netmask, randomly flooding every IP sharing
the same link.  The effect will basically be the same, as far as I can tell.

The information that you can trust is that your attacker will cause large
quantities of ICMP echo-reply (or sometimes UDP) packets to enter your
network from amplifier source addresses.  The options I see are to either:

- - Rate-limit or block ICMP echo-reply traffic, as close to the source as
  possible.  This may be only at your network ingress, but it might be
  interesting to see if the backbones really need to allow more than 5-20%
  of the bandwidth of any link as ICMP echo-reply.

- - Rate-limit or block traffic from amplifier source addresses.  If a
  significant portion of the 'net were simply unavailable to these networks
  until they turned off directed-broadcast, they would get fixed much
  faster.  A BGP RBL-style feed would be the most easily maintainable, but
  one could even just write a script to take the top 100 off of netscan.org
  and add them access-lists.

                   Aaron Hopkins
                   [email protected] 
                   Chief Technical Officer, Cyberverse Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN4pqK0fJWHAEvsjBAQFx8AQA8PdtkbbBlUsy0qjI97pnR+CkHm2p/UI+
/JD5sHNfWEy9q2ZiKjyYjNdBO1cKzFTmt8C0xr/suo1/W1i3WCOWxe2l3xYZE039
nNs3UWmCrElYPOXR38zbppwqTsgGqqqB69d2TVEGnex+0qi2Su/vHdD+BWrnothv
+n7krDXg0Fw=
=CC9p
-----END PGP SIGNATURE-----