North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is there a line of defense against Distributed Reflective attacks?

  • From: Sean Donelan
  • Date: Sat Jan 18 21:24:19 2003

On Sat, 18 Jan 2003, Steven M. Bellovin wrote:
> theory, trace a single packet.  But the real problem with either idea
> is this:  suppose that you know, unambiguously and unequivocally, that
> 750 zombies are attacking you.  What do you do with that information?

The reality is its not 750 zombies, its generally one person controlling
750 zombies attacking you.

The firefighter approach is not a complete solution.  Putting out the
fire is only part of the answer.  You also need to stop the arsonist
from setting more fires and improve the building codes to reduce the risk.

We need to do more than just waiting for complaints and putting in more
and more null routes all over the network.  On the other hand, ingress
filtering is not a complete solution either. There are some things some
networks can do easier than other networks. But there isn't just one fix
which will work for everyone, or which will solve the problem.  Null
routes alone didn't solve the spam problem, and I doubt it will solve the
DDOS problem.

So how do we
   1) Make end-user systems less vulnerable to being compromised
   2) Track and stop DDOS quickly when it does happen
   3) Find and convict the true attacker