On Wed, Jun 02, 2004 at 10:19:08AM -0600, Danny McPherson wrote:
While I mostly agree with your sentiment, one minor detail..
Based on recent observations of many folks, "spoofing is out of vogue". So much so that some recent discussions I've had with several folks lead me to believe that less than 1% of DDOS attacks today employ source address spoofing. As such, the value of techniques such as backscatter analysis and traceback decrease as well.
Nonsense... While many more attacks are non-forged (see: hacked windows machines in giant DDoS bot-nets that doesn't care about hiding the origin because there are too many hosts to do anything about anyways) than they were in the past, forged source attacks still make up huge portions of the packets being thrown around. What people may being seeing is that poorly randomized source attacks are being automatically filtered by uRPF loose or other means before they ever reach the target. I keep track of my network border filter counters, and believe me spoofed attacks are not going out of style, especially from foreign and certain smaller networks. As a customer of someone who does this kind of filtering and maintains sufficient border capacity, you may never see the gigabits of src bogons, protocol 0 or 255, port 0, 40 byte syns w/no MSS option, etc, and assume that these attacks are out of style because the only ones that get through are the WinXP MSS+SACK unforged drone SYNs. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)