Re: DDOS Countermeasures RFC

[Gary Flynn <flynngn () jmu edu>]

Ryan Russell wrote:
> On Mon, 29 Jan 2001, Marcus J. Ranum wrote:
>
> > We're doomed, aren't we?

My cynical hero :)
 
> No, not really.  There are technical countermeasures to solve the
> problem.  People just won't implement them until they have to.  To take a
> page from your book... legislate that it's illegal to allow spoofed
> packets off your net if you're an ISP, school, etc..

Spoofing only makes it harder to find the source. If there are
hundreds or thousands of compromised boxes in a similar number
of different organizations, its still going to take time to
track down the sources and/or filter the offending addresses.

Thousands of compromised boxes are a very realistic possibility with
IRC controlled DDOS activity on Windows boxes. Substitute a stealthy
IRC bot for Hybris, ILOVEYOU, or any other popular virus and you
get a large number of "willing" participants.

Since the addresses aren't spoofed, I guess you could immediately
filter them but the effects on the filters on processor utilization
may in itself cause a DOS or at least degradation. Not sure. Probably
depends a lot on topology, type and frequency of packets, line speed, 
and the device doing the filtering.

There is also the matter of entering a thousand attacking IP addresses
into the filter database :)

For my cynical views:

http://falcon.jmu.edu/~flynngn/whatnext.htm

--------------------------------------
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards