On Thu, Oct 24, 2002 at 04:02:09PM -0500, Rob Thomas wrote:
Hi, NANOGers.
] I assert this is not the case. A significant percentage of DDoS attacks use ] legitimate source IP addresses. When there are thousands of throw-away hosts
I track several botnets per week, and a large amount of DDoS per week. Only around 20% (or a bit less) of all the attacks I log use spoofed source addresses.
Does anti-spoofing help? Yes. It is but one of many mitigation strategies.
I don't know what botnets you look at, but I wouldn't go that far. Of course stopping spoofing will not solve everything, but is does and will make a huge impact on DoS mitigation and tracing. The problem now is that noone "knows" for certain if the attack they're tracing is spoofed or not. With a random source syn flood, you know it's spoofed. With an attack which is spoofing a legit-looking address that is completely unrelated to the attacker, you don't. Most people who report DoS (including myself) have been so burned by finding out that legitimate looking source address on an attack is infact spoofed (or worse yet that an innocent party gets blamed by incompetent admins), they see a DDoS and don't even bother. Attackers w/DDoS networks use this to their advantage, by mixing spoofed attacks (where they can) with unspoofed attacks (where they can't, such as windows machines, boxes where they havn't compromised root such as apache worms and the like, and even in rare cases where the network is doing their job and ingress filtering), to make it effectively impossible to know which hosts to go after. Tracing down dumb drones with non-spoofed addresses is a LOT easier than tracking spoofed packets through the network (or worse explaining to other networks how to do it). Of course, as more and more ingress filtering is implemented, the attacks will move to "one-off" spoofing, where they spoof their neighbors address but are still close enough to get through filters, and incompetent admins go chasing after ghosts. But we'll deal with that situation when we come to it. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)