|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Is there a line of defense against Distributed Reflective attacks?
I have been thinking about this for a while due to a number of reasons. But if we look at the source of the attacks and the effects of the attacks. I would draw the conclusions thatHaving researched this in-depth after reading a rather cursory article a) Unless we fix the "end-system" faults that are used for exploits, the only way that will scale to handle attacks, is simply to make the victims redundant so that you can loose one and loose service for some customers so that you can provide service for the remaining customers. b) In the short to medium term, the only strategy that will work is to sacrifice some parts of your service (or host, or customers - depending on your role and the type of attack / victim). Even with the pushback model, the ordinary users will loose to some extent. So what would be needed would be a model where to loss of bandwidth for end-users are projected to the revenue numbers of the service being attacked. Right? Well, you also need to find another "way" (or buffer, or slowdown) to send the traffic, which in a way also is a successful attack.is a practical solution to an attack of this kind, what prevents its implementation? Lack of awareness, or other?It is still fairly new and not widely deployed. Routers need not only to support it, but also have to be enabled to use it. It is a fairly significant change to the way congestion control is currently done in the Internet and it will take some time before penetration occurs. With physical security I would assume actual physical access to the system. Anything else to me is "logical" or "system" security. Correct?to launch attacks. Eventually it all boils down to a physical security problem. Pricing models can be used to make it expensive - kurtis -
|