On Sat, 25 Jan 2003, K. Scott Bethke wrote:
Keep in mind that these problems aren't from 'well behaved' hosts, and 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED.... classic DoS attack scenario. :(
I understand the evils, but are we really at the mercy of situations like this? Of course we can firewall the common sense things ahead of time,
I don't think this one could have been reasonably firewalled using a non-stateful firewall (such as a simple router access list): the port is unpriviliged so it will be used as a source port for regular UDP traffic such as DNS queries. However, rate limiting UDP would have helped. This is a reasonable thing to do for customers that have a lot of bandwidth but don't run high-bandwidth UDP protocols.
we can jump right in and block evil traffic when it happens, after it takes down our network but what sorts of things can we design into our networks today to help with these situations?
Rate limit everything you can rate limit, make sure your routers and switches have enough CPU even if interfaces are saturated with minimum-sized packets to random destinations. But this type of rDOS (reversed denial of service) is easy: you can simply filter the offending systems. If it's the other way around (DOS) there is not much you can do. To really solve this we need a mechanism for destination hosts to authorize source hosts to send data in such a way that intermediate routers/firewalls can check this authorization and drop unauthorized packets.