nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?

From: "Christopher L. Morrow" <chris () UU NET>
Date: Sun, 19 Jan 2003 06:08:20 +0000 (GMT)


On Sat, 18 Jan 2003, Avleen Vig wrote:


On Sat, 18 Jan 2003, Christopher L. Morrow wrote:


Eliminating spoofed addresses from the backbone, even if it were possible
to do 100%, would not eliminate denial of service attacks. The DDoS attacks


This was precisely the point of Mr. Gill from AOL at the aforementioned
NANOG meeting, I believe his quote goes something like: "The ip address
used for the attack is orthogonal to the problem..." To me this makes
perfect sense... People really do get stuck on the red herring of
'stopping all spoofing'. That isn't the problem, as you say below here its
trivial to use owned hosts by the thousands to attack with unspoofed
addresses... Rob Thomas has some good data on attacks against IRC
servers and other hosts on the internet, his data last I recall was
something like 80% of attacks use spoofed addresses, though more and more
his tracked attacks are showing from non-spoofed hosts. He can certainly
jump in and correct me though :) I can speak authoritatively from the
network I work on's perspective on this issue, more and more we have seen
non-spoofed attacks. There are still plenty of spoofed attacks, but
frankly we prefer that as its MUCH easier to track and stop.


you could partly get around this by blocking all 'SYN' packets going to
your customers :-)


and we are hoping none are hosting webservers or mail servers or....
right? Oh wait! I'll just make them use my datacenters, right?? or were
you not talking about the attacks?



Unless/until the kiddies start using UDP... messy.
Previous By Date Next
Previous By Thread Next

Current thread: