Tim Bass writes:
There is no reason to be hostile to me, I'm not the attacker.
You are, however, walking in when you are obviously quite unaware of the details of the situation and proclaiming that you know better than everyone else. You obviously do not understand the attacks. You do not know what people actually involved have been doing to try to solve them. You also proclaimed, in advance, that the problem is simple and by implication that the world class talent that has been looking at the problem is stupid. In short, you are arrogant and ignorant.
An attacker sends a stream of packets to (fill in the blanks) one hosts, two hosts, a subset of hosts in a network? And the packets arrive with a frequency of ------? and the average available bandwidth of the attack flow is -----? and the average time each packet changes the pseudo random IP source addreses are?
Has it occurred to you that even if there were characteristics that could be used to filter the packets that the attacker might change the characteristics of what he was sending to get around them? No set of characteristics is available for filtering, because no single set of characteristics will occur in all possible attacks. Any software that assumes that the attacker, say, incremented the port number by 10 every time, or what have you, would simply be evaded by the next attacker or by the same attacker on later attacks. Indeed, in the case in question, filtering was used against consistant characteristics of the attack and then failed when the attacker changed tactics to evade the filtering. This is an arms race that cannot be won. There is no consistant mechanism that can both filter the attacks and not hurt legitimate users.
I, we, can't however, solve a problem if it is not clearly defined.
Perhaps I, we, don't have any reason to tell you more details than you know.
Yes, I'm arrogant and believe that given the details and the specifications of the problem, we can solve it and yes I believe that whining about it does little to solve the problem or help make the IP work a better place.
Mr. Bass, I'd say what I think of you at this point, but this is a family mailing list. Before you lose all respect that anyone has for you, be quiet, go away for a few days, and learn that other people working on a problem are not necessarily imbeciles just because they aren't you. Very smart people have looked at the specific problems in question. There are some good answers to the problem -- origination filtering and hardening hosts by fixing the algorithms that manage the infant connection queues in kernels. People are now busily working on both of these. Your comments, however, belong more to the problem set than to the solution set. If you expect to get respect, you will first have to give some to others. Perry