-----Original Message----- From: Stewart, William C (Bill), RTLSL Sent: Friday, January 17, 2003 5:35 PM To: 'nanog-post@trapdoor.merit.edu' Subject: Re: Is there a line of defense against Distributed Reflective attacks? Many of these attacks can be mitigated by ISPs that do anti-spoofing filtering on input - only accepting packets from user ports that have IP addresses that are registered for that port, and not accepting incoming packets from outside their network that claim to be from inside (except maybe from registered dual-homed hosts.) This cuts down on many opportunities for forgery, and means that SYN Flood attacks have a much more limited set of addresses they can forge (e.g. an attacker or zombie can only impersonate other ips sharing its /24 or /29, so it can't pretend to be its victim in a reflection or smurf attack.) That doesn't stop all reflection attacks; a zombie on a network that doesn't do anti-spoofing can send SYNs to a big server on a network that also doesn't anti-spoof, so the server will still SYN-ACK to the victim. This cuts out a lot of potential zombie/server pairs. If the server that's being used for reflection is someone the victim would often talk to, that's a problem (you'd rather not block connections to Yahoo), but if it's someone the victim doesn't care about talking to (like router23.example.net) you don't mind blocking it. (Also, why is router23.example.net SYNACKing somebody it doesn't know?) But there are probably 20 million web servers or Kazaa or IM clients out there, and probably half of them are on networks that don't spoof-proof, so blocking those is much tougher than blocking the big ones. And next stop - reflection attacks using big domain servers...