North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Yahoo offline because of attack (was: Yahoo network outage)

  • From: Joe Shaw
  • Date: Wed Feb 09 00:24:35 2000

I'd be one to argue that implementing egress filtering, as opposed to
ingress filtering, would do more to stop DDoS attacks since one of the
most crippling attacks uses forged valid source addresses to start the
attack (smurf/fraggle).  If you stop forged packets from leaving the 
offending networks (which you mention in your RFC, but only to say it's
impractical to do both ingress and egress filtering and advocate ingress)
and the need to track attacks goes no farther than the people in Company
X's dialup pool who's causing the CPU on the router to go up.  However,
neither ingress or egress filtering helps stop any of the latest "seen
in the wild" DDos attacks like trinoo, tribe, etc. because the floods are
all unforged packets.  Though they've been sketchy on details, it sounds
like these or their decendants are the likey candidates for both Yahoo and
Buy.com.

Also, ingress filtering certainly doesn't help Tier3.net when their 4
inverse-muxed T1's are clogged with 20Mbps of traffic, forged or 
otherwise.  Sure, the router is dropping the traffic like mad, but it's
not going to help them unless their upstream will block the traffic as
well once the attack starts.  Egress filtering would stop the attack
before it started if the traffic were forged.  If it's just unforged
traffic, you'd expect the attacking sites to notice the spike in bandwidth
utilization and increased traffic flows from one or several machines to
one destination, but that may be asking too much.

Unfortunately, the rush to .COM riches has brought with it a lot of people
who have only half a clue as to what they're doing if we, as the Internet
community, are lucky, making the Internet landscape even more dangerous
with the amount of ignorance that's out there when it comes to security
issues.  It should also be said that some established educational 
institutions seem to be having issues stopping attacks like smurf and
fraggle as well.  The media certainly isn't helping, classifying all DoS
attacks as packet flooding attacks, which is not the case either, though
all DDos attacks are (if you're a journalist, please feel free to ask
what the difference is;  I'll be more than happy to explain it).

I wish I could have made NANOG and the DDoS BoF session, but I was unable
to attend due to employment issues.

--
Joseph W. Shaw - [email protected]    
Computer Security Consultant and Programmer
Free UNIX advocate - "I hack, therefore I am."

On Tue, 8 Feb 2000, Paul Ferguson wrote:

> Declan,
> 
> This is a very complex issue, and made the DDoS BoF last
> night even more lively. ;-)
> 
> Read RFC2267. More people should be doing it, and most of
> these silly problems will go away.