North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New Internet-draft on DDOS defense...

  • From: Richard Steenbergen
  • Date: Fri May 19 21:21:51 2000

> The proposal suggests that hosts not respond to ICMP Echo broadcasts if
> the source address is not within the same subnet as the workstation.
> The rational is that even with "no ip directed-broadcast" (or it's
> equivalent on non-Cisco routers), smurf attacks can still be launched by
> a local machine on the local subnet (provided that there are no filters
> in place to prevent forged source-addresses from that subnet).
> Such an attack would only be useful where the aggregate bandwidth to the
> Internet from the subnet of the compromised host is signifigantly larger
> than the aggregate bandwidth to the Internet from the compromised host
> itself.  In the traditional case of a simple shared media ethernet, this
> is obviously not the case -- rather than launching a "local smurf"
> attack to generate 10Mbps worth of flooding, the attacker could simply
> have the local machine generate 10 Mbps worth of flooding.  In modern
> networks, a switch of some sort is likely to be involved, so there is
> some potential for amplification.  However, given that the individual
> devices in such an environment are likely to be attached with a minimum
> of 100 Mbps Ethernet (and, assuming they are running a reasonable IP
> stack, they should then be able to generate a minimum of, say, 80Mbps of
> flooding), the cases where a "local smurf" would be beneficial to an
> attacker are limited to sites with switched ethernet and OC-3 or better
> connectivity.  Experience has shown that such sites are not generally
> problematic smurf amplifiers.  (OC-3 is actually just a low end number.
> Given that any such site is likely to have a lot of other traffic
> competing for bandwidth, I think 25% is a good high end number for
> maximum amplication effect you'd get.  You'll need OC-12 or higher for
> any serious level of amplification.)

An old idea... Its relatively easy to do this by spoofing the raw frames
and making your own l2 broadcast.

I can think of at least one major brand name colo provider with multiple
customers on shared vlans where such an attack would be quite effective. I
can think of others that actually have most of their switches on GigE
uplinks and many customers sharing a vlan, where such an attack would be
rather devestating.

Then again any time you put multiple customers on a single layer 2
switch/vlan without doing some kind of l3 switching or vlan trunking and
one vlan per customer you are asking for trouble (ip stealing, arp games,
broadcast issues including these kind of attacks, etc).