nanog mailing list archives
Re: Proposal for mitigating DoS attacks
From: Jeff Aitken <jaitken () aitken com>
Date: Sat, 10 Jul 1999 15:40:34 -0400 (EDT)
Alex.Bligh writes:
A discussion on Route Filtering =============================== This proposal does not invalidate the concept of route filtering. In fact it is vital that the same level of filtering is applied to Victim Routes as to the superblock in which they reside; elsewise they could themselves be used by irresponsible people as a Denial of Service attack. The same technology that currently ensures ISP's do not lose connectivity to their customers by accepting similar routes from their peers can be used to filter acceptance of Victim Routes.
This is certainly an interesting proposal. However, I have a concern related to the excerpt above. Considering smurf-like attacks, the involved parties typically include: 1. Attacker's upstream(s). 2. Amplifiers. 3. Victim's upstream(s). 4. Victim. Given the "distributed" nature of the attack, parties #1 and #2 tend to see only marginal increases in traffic. Party #3 may see a moderate to heavy increase, but if they maintain sufficient headroom on their network, it may not be enough to matter (or even be noticed). By far the most dramatic difference is seen by party #4, the victim himself. Your proposal, assuming it could be consistently and properly implemented, might certainly improve the situation for parties #3 and #4. However, it may open other, previously uninvolved parties to a new form of attack: if I as an attacker can find a way to generate thousands of these "victim" routes, I can affect a very potent DoS against core routers all over the Internet. Do the benefits to parties #3 and #4 outweigh the newly-created risk that affects everyone? For example, what happens when there is a breakdown in route filtering and someone manages to slip in a few hundred victim routes that just so happen to match the IPs in use at the major exchange points? ;-) The more I think about it, the more problems I see. Smurf attacks are possible because thousands of people can't disable directed broadcasts on their routers. This entire approach relies on many of those same people to perform adequate route filtering to avoid far worse consequences. :-( --Jeff
Current thread:
- Proposal for mitigating DoS attacks Alex.Bligh (Jul 10)
- Re: Proposal for mitigating DoS attacks Jon Green (Jul 10)
- Re: Proposal for mitigating DoS attacks Leo Bicknell (Jul 10)
- Re: Proposal for mitigating DoS attacks Deepak Jain (Jul 10)
- Re: Proposal for mitigating DoS attacks Alex Bligh (Jul 12)
- Re: Proposal for mitigating DoS attacks batz (Jul 13)
- Re: Proposal for mitigating DoS attacks Leo Bicknell (Jul 10)
- Re: Proposal for mitigating DoS attacks Jon Green (Jul 10)
- Re: Proposal for mitigating DoS attacks Jeff Aitken (Jul 10)
- Re: Proposal for mitigating DoS attacks Aaron Hopkins (Jul 12)
- Re: Proposal for mitigating DoS attacks Alex Bligh (Jul 12)
- Re: Proposal for mitigating DoS attacks Barry Shein (Jul 13)
- Re: Proposal for mitigating DoS attacks Alex Bligh (Jul 12)
- <Possible follow-ups>
- RE: Proposal for mitigating DoS attacks Dan Rabb (Jul 11)
- RE: Proposal for mitigating DoS attacks jlewis (Jul 11)