North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: FW: Re: Is there a line of defense against Distributed Reflectiveattacks?

  • From: Avleen Vig
  • Date: Sat Jan 18 17:00:27 2003

On Sat, 18 Jan 2003, Christopher L. Morrow wrote:

> > Eliminating spoofed addresses from the backbone, even if it were possible
> > to do 100%, would not eliminate denial of service attacks. The DDoS attacks
>
> This was precisely the point of Mr. Gill from AOL at the aforementioned
> NANOG meeting, I believe his quote goes something like: "The ip address
> used for the attack is orthogonal to the problem..." To me this makes
> perfect sense... People really do get stuck on the red herring of
> 'stopping all spoofing'. That isn't the problem, as you say below here its
> trivial to use owned hosts by the thousands to attack with unspoofed
> addresses... Rob Thomas has some good data on attacks against IRC
> servers and other hosts on the internet, his data last I recall was
> something like 80% of attacks use spoofed addresses, though more and more
> his tracked attacks are showing from non-spoofed hosts. He can certainly
> jump in and correct me though :) I can speak authoritatively from the
> network I work on's perspective on this issue, more and more we have seen
> non-spoofed attacks. There are still plenty of spoofed attacks, but
> frankly we prefer that as its MUCH easier to track and stop.

you could partly get around this by blocking all 'SYN' packets going to
your customers :-)
Unless/until the kiddies start using UDP... messy.