On Thu, Jan 16, 2003 at 08:48:03PM -0500, Brad Laue mooed:
By way of quick review, such an attack is carried out by forging the source address of the target host and sending large quantities of packets toward a high-bandwidth middleman or several such.
One method that comes to mind that can slow the incoming traffic in a more distributed way is ECN (explicit congestion notification), but it doesn't seem as though the implementation of ECN is a priority for many
No. ECN is, first and foremost, an optimization for TCP so that it doesn't have to drop packets before cutting its rate back when there's congestion in the network. A zombie or malicious host would just ignore the ECN bit - and the attacks you're describing never reach the point where a host's flow control is involved. You might be thinking of source quench, but that's really not an option with today's networks. Some other conventional alternatives have been discussed already (ingress/egress filtering, etc). Some less conventional options: [Warning: Some researchy stuff ahead] a) Mazu and Arbor provide products that can detect and optionally shape traffic to avoid DDoS attacks. Must be installed in-line to shape, and can't (AFAIK) shape at really really high line speeds. But for reasonable things like, maybe gigabit and under, I think they can provide pretty reasonable protection. Don't quote me for sure on the rates. b) Ioannidis and Bellovin proposed a mechanism called "Pushback" for automatically establishing router-based rate limits to staunch packet flows during DoS attacks. [NDSS 2002, "Implementing Pushback: Router-Based Defense Against DDoS Attacks"] c) I stole some ideas from a sigcomm paper this year ("SOS: Secure Overlay Services") to propose a proactive DDoS resistance scheme I term Mayday. The basic idea is that you pick some secret attributes of your packets - destination port, destination address, etc. - and only allow packets with "the right values" through. You then tell that secret to someone like Akamai, and have them proxy all requests to you. Then you ask your upstream to proactively deny all packets without the magical values. http://nms.lcs.mit.edu/papers/mayday-usits2003.html It's a little weird, but I'd be willing to bet that one of the big overlay providers like Akamai could actually pull it off. The advantage of this approach is that you can implement it without fixing the whole world, unlike egress filters. The downside is that you need someone with lots of nodes. I'd be interested in hearing folk's comments about the mayday paper, btw, since I have to babble about it at a conference in a month. ;-) -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.