North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T

  • From: Jon R. Kibler
  • Date: Wed Jun 02 11:27:59 2004

John Obi wrote:
> ... since DDoS is the
> nightmare of the internet now.
> 

The sad fact is that simple ingress and egress filtering would 
eliminate the majority of bogus traffic on the Internet -- including 
(D)DoS attacks. If all ISPs would simply drop all outbound packets 
whose source address is not a valid IP for the subnet of origin, 
and all inbound packets that do not have valid source IP addresses, 
the DDoS problem would be (for all intents and purposes) fixed. If 
proper filtering was done, then any DoS attacks would have to have 
either valid source IP addresses, or IP addresses that spoofed IPs 
within their network of origin. In either case, identifying and 
shutting down the attackers would become a greatly simplified task 
compared to the mess it is today.

Why no filtering by ISPs? "Because it takes resources and only benefits
the other guy" -- unless your network is the one under attack.

Maintenance of the ACLs should not be the issue. A single ACL for each
subnet would be all that would be required for egress filtering. About
30 ACLs on an inbound border router would be required for ingress 
filtering. Keeping the ingress ACLs current is a brain-dead task -- just
subscribe to the bogon mailing list at cymru.com.

ACLs have had a bad reputation for greatly slowing down routers. That
may have been true in the past, but properly written ACLs do not seem
to have a significant impact on most new routers. Yes, they may cut
peak through-put a few percent -- but if you are running that close to
the edge, it is time to upgrade anyway.

IMHO, there is absolutely no excuse for not doing ingress and egress
filtering. In fact, if you are an ISP, I would argue that you are
negligent in your fiduciary responsibilities to your customers and
shareholders if you are not filtering source IP addresses.

Fancy solutions may make great marketing, but simple proper router
filtering is a very workable lower-cost solution.

(Step down from soap box.) At least, that's my $0.02 worth.

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.