nanog mailing list archives
Re: New Internet-draft on DDOS defense...
From: "Vipul Shah" <svipul () novell com>
Date: Fri, 12 May 2000 00:53:16 -0600
I have some concerns with this draft. The proposed change does lower the risk of damages if one system on a shared-media LAN is compromised, but only for this one type of attack. It seems to me it'd be possible to generate other types of packets which are broadcast/multicast which could elicit an ICMP response, and such attacks are not something which can be cured without breaking a lot of functionality. While ICMP ECHO packets are a preferred mechanism today, they're far from the only types of packets which are problematic. Where RFC2644 prevents ALL types of directed broadcast traffic, this draft will only have a useful impact on ICMP ECHO, and only in a limited case. I have to question whether there's sufficient benefit here to warrant opening up the IP stacks on end stations.
Will you please list down the other types of packets (apart from ICMP ECHO packets) used to generate broadcast response and can lead to an attack. We can extend our solution further to include other types of packets, if possible.
An alternative to the suggested approach is the use of packet filters on end stations. For example, with Linux systems (and probably others) ipchains can be used to filter the types of traffic a host will respond to, regardless of what a border router or firewall ahead of it allows. I generally advocate the use of such facilities where possible as it adds an extra line of defense. Rate limiting of certain types of traffic (e.g. ICMP) is also a way to address the type of problem this draft is concerned with, and again is capable of addressing all ICMP, rather than just ICMP ECHO/ECHO REPLY.
Rate limiting and filtering may reduce the impact of Smurf attack, but the attack itself is not prevented! Vipul
Overall impression of the draft: not a terrible idea, but unclear if it's sufficiently beneficial to warrant the effort to implement. Dan -- ----------------------------------------------------------------- Daniel Senie dts () senie com Amaranth Networks Inc. http://www.amaranth.com
Current thread:
- New Internet-draft on DDOS defense... Vipul Shah (May 10)
- Re: New Internet-draft on DDOS defense... Paul Ferguson (May 11)
- Re: New Internet-draft on DDOS defense... Daniel Senie (May 11)
- Re: New Internet-draft on DDOS defense... Paul Ferguson (May 11)
- Re: New Internet-draft on DDOS defense... Daniel Senie (May 11)
- Re: New Internet-draft on DDOS defense... Brett Frankenberger (May 11)
- Re: New Internet-draft on DDOS defense... Paul Ferguson (May 12)
- <Possible follow-ups>
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 11)
- Re: New Internet-draft on DDOS defense... Brandon Ross (May 11)
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 11)
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 12)
- Re: New Internet-draft on DDOS defense... Jerry Scharf (May 12)
- Re: New Internet-draft on DDOS defense... Brandon Ross (May 12)
- Re: New Internet-draft on DDOS defense... Steven M. Bellovin (May 12)
- Re: New Internet-draft on DDOS defense... Owen DeLong (May 12)
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 16)
- Re: New Internet-draft on DDOS defense... Richard Steenbergen (May 19)
- Re: New Internet-draft on DDOS defense... Paul Ferguson (May 11)