On Thu, 16 Jan 2003, Brad Laue wrote:
Having researched this in-depth after reading a rather cursory article on the topic (http://grc.com/dos/drdos.htm), only two main methods come to my mind to protect against it.
By way of quick review, such an attack is carried out by forging the source address of the target host and sending large quantities of packets toward a high-bandwidth middleman or several such.
To my knowledge the network encompassing the target host is largely unable to protect itself other than 'poisoning' the route to the host in question. This succeeds in minimizing the impact of such an attack on the network itself, but also acheives the end of removing the target host from the Internet entirely. Additionally, if the targetted host is a router, little if anything can be done to stop that network from going down.
One method that comes to mind that can slow the incoming traffic in a more distributed way is ECN (explicit congestion notification), but it doesn't seem as though the implementation of ECN is a priority for many small or large networks (correct me if I'm wrong on this point). If ECN is a practical solution to an attack of this kind, what prevents its implementation? Lack of awareness, or other?
Doesn't ECN depend on 'well behaved' traffic? In other words, wouldn't it require the hosts sending traffic to slow down? So... even if the hosts slowed down, 10,000 hosts still is a high traffic rate at the end point. :(
Also, are there other methods of protecting a targetted network from losing functionality during such an attack?
Insights welcome.
Brad
-- // -- http://www.BRAD-X.com/ -- //