On Jun 2, 2004, at 9:25 AM, Jon R. Kibler wrote:
The sad fact is that simple ingress and egress filtering would eliminate the majority of bogus traffic on the Internet -- including (D)DoS attacks. If all ISPs would simply drop all outbound packets whose source address is not a valid IP for the subnet of origin, and all inbound packets that do not have valid source IP addresses, the DDoS problem would be (for all intents and purposes) fixed. If proper filtering was done, then any DoS attacks would have to have either valid source IP addresses, or IP addresses that spoofed IPs within their network of origin. In either case, identifying and shutting down the attackers would become a greatly simplified task compared to the mess it is today.
Why no filtering by ISPs? "Because it takes resources and only benefits the other guy" -- unless your network is the one under attack.
Maintenance of the ACLs should not be the issue. A single ACL for each subnet would be all that would be required for egress filtering. About 30 ACLs on an inbound border router would be required for ingress filtering. Keeping the ingress ACLs current is a brain-dead task -- just subscribe to the bogon mailing list at cymru.com.
ACLs have had a bad reputation for greatly slowing down routers. That may have been true in the past, but properly written ACLs do not seem to have a significant impact on most new routers. Yes, they may cut peak through-put a few percent -- but if you are running that close to the edge, it is time to upgrade anyway.
IMHO, there is absolutely no excuse for not doing ingress and egress filtering. In fact, if you are an ISP, I would argue that you are negligent in your fiduciary responsibilities to your customers and shareholders if you are not filtering source IP addresses.
Fancy solutions may make great marketing, but simple proper router filtering is a very workable lower-cost solution.
(Step down from soap box.) At least, that's my $0.02 worth.
While I mostly agree with your sentiment, one minor detail.. Based on recent observations of many folks, "spoofing is out of vogue". So much so that some recent discussions I've had with several folks lead me to believe that less than 1% of DDOS attacks today employ source address spoofing. As such, the value of techniques such as backscatter analysis and traceback decrease as well. I suspect that [at least] the perception of wide-scale BCP 38/uRPF and the sheer size and firepower of botnets today has resulted in a very significant decline in source-spoofed attacks. Clever folks actually spoof within the local (sometimes classful) subnet, making it slightly more difficult to identify the concerned host (IF your traceback functions ever make it to the "true Internet ingress" segment where a host resides, which is more often than not unlikely). I suspect this is largely because we do such a poor job fixing compromised hosts that miscreants needn't worry much about losing significant portions of their botnets to traceback and cleanup - as Rob suggests, they're more concerned with losing them to other miscreants. This is also representative of the inversion in attack methods over the past several years (i.e., the inversion from TCP-SYN type stuff to raw UDP-fill-the-pipe style attacks). Nonetheless, ingress filtering certainly helps significantly. -danny