|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Is there a line of defense against Distributed Reflective attacks?
On Fri, 17 Jan 2003, David G. Andersen wrote: > > On Fri, Jan 17, 2003 at 06:38:08PM +0000, Christopher L. Morrow mooed: > > > > > has something called Source Path Isolation Engine (SPIE). There > > > > This would be cool to see a design/whitepaper for.. Kelly? > > The long version of the SPIE paper is at: > > http://nms.lcs.mit.edu/~snoeren/papers/spie-ton.html > > The two second summary that I'll probably botch: SPIE keeps a (very tiny) > hash of each packet that the router sees. If you get an attack packet, > you can hand it to the router and ask "From where did this come?" > And then do so to the next router, and so on. The beauty of the scheme > is that you can use it to trace single-packet DoS or security attacks > as well as flooding attacks. The downside is that it's hardware. This sounds like Steve Bellovin's thing called 'icmp traceback' where you make up a new icmp type message and send that query through the system, hop by hop... though I say that after only reading your blurb, not the paper :) As I recall the icmp thing (that might NOT have been all steve, I just heard him present it once) was a problem from a memory and processing perspective, not to mention 'no router does this today' so its a 3 year off feature addition... nevermind the protocol additions :)
|