I'd be one to argue that implementing egress filtering, as opposed to ingress filtering, would do more to stop DDoS attacks since one of the most crippling attacks uses forged valid source addresses to start the attack (smurf/fraggle). If you stop forged packets from leaving the offending networks (which you mention in your RFC, but only to say it's impractical to do both ingress and egress filtering and advocate ingress) and the need to track attacks goes no farther than the people in Company X's dialup pool who's causing the CPU on the router to go up. However, neither ingress or egress filtering helps stop any of the latest "seen in the wild" DDos attacks like trinoo, tribe, etc. because the floods are all unforged packets. Though they've been sketchy on details, it sounds like these or their decendants are the likey candidates for both Yahoo and Buy.com. Also, ingress filtering certainly doesn't help Tier3.net when their 4 inverse-muxed T1's are clogged with 20Mbps of traffic, forged or otherwise. Sure, the router is dropping the traffic like mad, but it's not going to help them unless their upstream will block the traffic as well once the attack starts. Egress filtering would stop the attack before it started if the traffic were forged. If it's just unforged traffic, you'd expect the attacking sites to notice the spike in bandwidth utilization and increased traffic flows from one or several machines to one destination, but that may be asking too much. Unfortunately, the rush to .COM riches has brought with it a lot of people who have only half a clue as to what they're doing if we, as the Internet community, are lucky, making the Internet landscape even more dangerous with the amount of ignorance that's out there when it comes to security issues. It should also be said that some established educational institutions seem to be having issues stopping attacks like smurf and fraggle as well. The media certainly isn't helping, classifying all DoS attacks as packet flooding attacks, which is not the case either, though all DDos attacks are (if you're a journalist, please feel free to ask what the difference is; I'll be more than happy to explain it). I wish I could have made NANOG and the DDoS BoF session, but I was unable to attend due to employment issues. -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am." On Tue, 8 Feb 2000, Paul Ferguson wrote:
Declan,
This is a very complex issue, and made the DDoS BoF last night even more lively. ;-)
Read RFC2267. More people should be doing it, and most of these silly problems will go away.