I'm going to go way out on a limb here and say: 1) I would prefer all attacks use spoofed sources (cause I can track it across my net in 2 minutes)
Perhaps you could enlighten me further on this - if this is a naive question off list.
Ok, that said, think about this: Today we have 1 or 2 or 3 spoofing boxes per attack (on average), if there are 8000 IIS boxes pinging one 64k ping per second you can really rack up the bandwidth fast.
I don't think this is an issue. If by being able to notify the admin of a few boxes being used in a nonspoofed DDoS attack, we raise the bar so that larger networks must be used, we have gained real ground in the battle. Security isn't normally about absolutes, if you make something harder, without increasing the rewards less rats will do it. We need to be able to trust source IP addresses, before we can even conceive of a system that would permit mailing 8000 administrators to say 'Your box is owned'. Or implement some sort of system to pass the word to peers or transit providers that a particular source should be stopped before it reaches the boundaries of our own networks. Similarly if you want to track down the people who perpetrate the attacks (I'm not convinced this will stop as many as some people think), knowing the source IP is reliable must make life easier. If I had a set of bots, and could control them with spoofed UDP packets, or unspoofed TCP connections, which do you think I'd use?! Some analogies on the list I think are stretched, which is why I think that tracking down perpetrators will be less effective than others have suggested. 1. 7-11 analogy - the real reason people don't rob 7-11s a lot more is that they don't have any real money - the big criminals rob richer places, only the druggies rob 7-11's. This breaks down in DDoS as we can use all those 7-11's to help blackmail the bank. 2. Safe to leave your car unlocked in the street - It is fine to leave your car unlocked in my street. Indeed on one occaison I left the front door open, and came home to find the neighbours had shut it for me as they were "concerned". On the Internet you are less than a few seconds away from even the remotest corner, so your definitely in a cross between the dodgier parts of LA, a Johannisburg slum, and the Lebanon. Yes prosecutions for DDoS will discourage script kiddies, but it won't stop the people with a cause, or countries your country is at war with, or worse countries who are at war with countries who host their sites with you, or hundred of other groups. Thus prosecution may be part of the solution, but "technical" solutions will still be required, and stopping spoofing is probably a first step in the right direction to provide some of these. -- Are you using the Internet to best effect ? www.eighth-layer.com Tel: +44(0)1395 232769 ICQ: 116952768 Moderated discussion of teleworking at news:uk.business.telework