Re: A DDOS defeating technique based on routing

[fpscha () NS1 VIA-NET-WORKS NET AR (Fernando Schapachnik)]

I'll summarize many responses my proposal has have and give my thoughts
about each one. Sorry for not been able to answer each one individually.
Not enought time ;-)

Let me first state that this was never meant to be a cure for every
situation. I think is only feasible in particular cases. I do agree with
most posts stating that to really solve DDOS we must attack the problem at
its roots: egress filtering. My proposal aimes to help the ones that are
being attacked.

Renaud Deraison <deraison () cvs nessus org> said:
>       In order to be ready to a massive DDOS attack, example.com should
> change its network structure to something like:
>
>                           +--------------+
>                +----e-----+ stub network |
>                |          +--------------+
>     +--------+ |
> -a--|        | |          +---------------+
>     |        | |          |               |     +-----------------+
> -b--|  ISP   +f+---d------+ example.com's +-----+ www.example.com |
>     |        |            | border router |     +-----------------+
> -c--|        |            +---------------+     \
>     +--------+                             \     10.0.0.2 and 10.0.1.2
>                                             10.0.0.1 and 10.0.1.1

If example.com is flooded with bogus network traffic (say, lots of
TCP RST) , then the link "f" that I added on your map will be flooded
anyway. So neither the stub network or example.com's border router will
receive all the data they should receive. So the attack is still
active.

---> Answer: it was just a graphic mistake. E and d should be absolutely
independent links.

=======================================================

Andreas Bogk <andreas () andreas org> said:
>      The proposed technique is about changing the IP addresses of the hosts
> being attacked and diverting the IP block under attack to a stub network
> where traffic can be analyzed to track it down, or just dropped.

This will not help, as the ISPs border router is still flooded. You
could drop the BGP route for that network, but that is highly
undesirable: you would end up needing one BGP advertisement per
"important" server.

---> Answer: this solution is intendeed to site's whose ISP has multiple
links. Hopefully, the ISP total bandwidth is several times the bandwidth it
sells to its customer, and it uses some kind of traffic shaping for each
customer at the other end of its links, so he could survive the attack. If
the ISP can't survive the attack, neither can its customers.

And BGP routes are a scarce resource, since they cost RAM in
everybody's border router: usually ASen try hard to announce as few of
them as possible, some aggregate all of their space to a single
announcement.

---> Answer: you would have to spend some resources in order to get
protection. ISP can aggregate routes at its borders, so nobody knows that
the route has been dropped (this is usefull is the ISP can survive the
attack) or can advertise each involved network separatedly. The last option
has the disadvantage you pointed out, but the advantage of traffic being
dispersed nearer its origin.

============================================

Many pointed out thinks like:
DNS records aren't instantly propogated to everyone (because of the
TTL). How do you make sure that clients are diverted to the proper
website?

---> Answer: Of course you have to use 0 (or very small) TTL DNS records.
Remember RFC 1034: "[...] a zero TTL prohibits caching [...]".

===========================================
David Brumley <dbrumley () rtfm stanford edu> said:

If the DDOS attack was targeted at the router one hop before the web
server, you would have to move the whole subnet.

---> Answer: Yes, you are right. A solution might be for this router no to
respond to ICMP or traceroutes, so its IP does not become publicly available.

===========================================

Many pointed out:

The attacker can switch its attack to the new network.

---> Answer: in this case he is creating a very particular traffic pattern.
He will be consulting DNS servers very often. The clients can do it
automatically, so surfing logs will show them, or even the 'evil master'
behind the attack could make a mistake and consult them often enough. If his
software must attack and IP address (not a FQDN) and he has some experience,
he will consult DNS from one of the comprised machines, but then again you
can track him down from there, as he must use real IPs to get to that
machine.

===========================================================

Felix von Leitner <felix () convergence de> said:

DDOS attacks normally saturate a, b and c as well, so this change will
only help dial-up users from ISP in general.  The DDOS attacks that
struck Germany so far have always taken the whole ISP with them.

---> Answer: I'd really like to know if during these attacks ISP was appling
bandwidth limiting to the customer being flooded on the other side of each of
its Internet links.

Fernando P. Schapachnik
Administración de la red
VIA NET.WORKS ARGENTINA S.A.
fernando () via-net-works net ar
(54-11) 4323-3333