Re: A DDOS proposal.

[mickey () HOME BLOCKDEV NET (Matt)]

Appropriate quoting (I hope) follows.

The chief concern with DDOS attacks is, as Mr. Rulu points out, that it is not
feasible to protect the entire net.  Morover, he is correct that the solution
he proposes would bring with it severe DOS and even new DDOS opportunities, strong
authentication notwithstanding.  Of course, the issues of international legal
enforcement, liability, etc are glossed over or ignored.  In short, adopting a
massive Panic Button system, as suggested, would probably open more holes than
it would close, and many of the recommended remedies (fire alarm penalties,
for instance) would be difficult or impossible to enforce in many circumstances.

The secret, I think, to limiting vulnerability to these sorts of attacks, and
limiting exposure, is to cause _someone_ (it doesn't particularly matter who)
to internalize the external costs of protection.  That is, since (say) the
University of California at Santa Barbara has less (theoretical) personal stake
in detecting DDOS agents on compromised clients, they will expend no effort to
do so.  If they fully internalized the costs of the damage, however (if CNN
could, for instance, reliably collect the entire potential damages due to loss
of service), they would have a greater incentive.  The solution, then, becomes
primarily technical- a reliable, trustworthy means of identifying the author of
a certain packet would need to be obtained, so that packets could not be spoofed.

It should be remembered, too, that legal sanction against (for instance) ISPs will
be difficult to enforce in practice.  My computer doesn't much care, or notice,
if it is being flooded by Rwandan networks or Australian- service is just as
denied either way.  Legal sanctions against foreign ISPs, however, are very difficult
to enforce.  Sanctions would have to transcend law and political boundaries meaning
network wide isolation of offensive networks, not liability assessments.

        --Matt

On Fri, 11 Feb 2000, Dragos Ruiu wrote:

> The problem with DDOS:
>
> - It is infeasible to secure the entire net.
<DELETIA>

> As this is an industry wide issue, it is doubtful a single source commercial
> antidote to all the potential DDOS problems can be found with a single
> countermeasure. So I propose a collaboration between service providers -
> an Anti-ddos ISP Coalition to remedy the problem.

<DELETIA>
> . . . There are numerous inherent DoS
> opportunities in such a system so great care needs to be taken care beween
> Defenders to use strong authentication.  In addition, guidelines should be
> drafted so no draconian penalties are imposed on clients that have potentially
> spurious complaints filed against them.  I would suggest that no action be
> taken until mutliple complaints are filed, and then some sort of attack
> verification process with the victim be used before attack relays are
> notified/penalized.  Systems that are repeatedly/consistently used as attackers
> could be  filtered/disabled/penalized until approriate security improvements are
> demonstrated to their ISP - thus providing the motivation for the attack relays
> to care about the damage they are doing and to spend the effort on better
> security.
>
> -To stop this system from being used as a DoS itself, I would propose that
> some sort of fine or other financial penalty be imposed for false or improper
> complaints being filed (like the fines for pulling a fire alarm).