nanog mailing list archives

Re: New Internet-draft on DDOS defense...

From: Jerry Scharf <scharf () vix com>
Date: Fri, 12 May 2000 07:17:59 -0700


Another point that hasn't been mentioned in this thread is that this type
of attack is very easy to track down, since all the echo-reply packets
will have addresses in the same subnet.  A good portion of the problem
with smurf attacks is not so much the attack itself as the painful process
of tracking it to it's source.


By the time you trace the packets, identify the subnet, and convince the 
Network Administrator to detach the compromized system from the network,
 the victim's router might have crashed. Especially, when there are more 
than one DDoS agents are compromized over different networks, the 
victim site may loose several hours of business!


Having been there, your solution mode is all wrong. What would happen in a 
case like this where a DOS attack has a localized source is that you would get 
the upstreams to filter them out. May take a few minutes, but given the ease 
of tracing it should be quick (once you get the right ISP team working on it.) 
Not too many people have more than a DS3 or two serving a subnet, and in 
today's world the backbone can handle that much smurf even if the egress hose 
can't.

Also the pain point of the solution will cure the DOS source. The ISP serving 
the source first disconnects the circuit completely, then contacts the network 
administrator and asks him/her to cease and decist. No fix, no Internet! I am 
willing to bet that being a localized source of a DOS attack does not fall 
within ISP AUPs.

Besides the idea that the cure is way to much for the problem, there is the 
deployment issue. It usually takes 5-10 years (or more) for a solution like 
this to saturate the installed base. Our problems wil be much different then.

The work in DOS needs to be much more focused on the hard problems of tracking 
distributed spoofed attacks and automatic attack characterization, not wasting 
time on this kind of stuff. I think that other than you defending this, there 
has been no support. Please take it as hint.

jerry


Vipul

Brandon Ross                                                 404-522-5400
VP Engineering, NetRail                            http://www.netrail.net 
AIM:  BrandonNR                                             ICQ:  2269442
Read RFC 2644!
Stop Smurf attacks!  Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.

Current thread:

New Internet-draft on DDOS defense... Vipul Shah (May 10)
- Re: New Internet-draft on DDOS defense... Paul Ferguson (May 11)
  - Re: New Internet-draft on DDOS defense... Daniel Senie (May 11)
    - Re: New Internet-draft on DDOS defense... Paul Ferguson (May 11)
- Re: New Internet-draft on DDOS defense... Brett Frankenberger (May 11)
  - Re: New Internet-draft on DDOS defense... Paul Ferguson (May 12)
- <Possible follow-ups>
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 11)
  - Re: New Internet-draft on DDOS defense... Brandon Ross (May 11)
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 11)
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 12)
  - Re: New Internet-draft on DDOS defense... Jerry Scharf (May 12)
- Re: New Internet-draft on DDOS defense... Brandon Ross (May 12)
- Re: New Internet-draft on DDOS defense... Steven M. Bellovin (May 12)
- Re: New Internet-draft on DDOS defense... Owen DeLong (May 12)
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 16)
- Re: New Internet-draft on DDOS defense... Richard Steenbergen (May 19)