To move toward a positive direction ... Discuss the effect that wide spread filtering against spoofed addresses would have on the current number of DDOS attacks. Why can't access router vendors be jawboned into providing anti spoofing filters as a default configuration; or at least automate the process to eliminate spoofed addresses in the wild? Have a logo like the good housekeeping seal for networks that filter on the egress. As Paul stated, demand it from peers. It is a pain. If the political will exist, it will be done. If the PR and marketing folks think it will increase sales, it will be done a lot faster. -- Joseph T. Klein +1 414 915 7489 Senior Network Engineer jtk@titania.net Adelphia Business Solutions joseph.klein@adelphiacom.com "... the true value of the Internet is its connectedness ..." -- John W. Stewart III
] Discuss the effect that wide spread filtering against spoofed ] addresses would have on the current number of DDOS attacks. I performed a statistical analysis of a collection of log files from one oft-targeted site. The data therein revealed that 68% of all the naughty packets contained obviously bogon source addresses (e.g. 127/8). I wouldn't extrapolate this analysis to fit all sites. I see more than enough DoS attacks were the source is not spoofed. I do think such filtering would go a long way towards mitigating DDoS attacks. -- Rob Thomas http://www.cymru.com/~robt cmn_err(CE_PANIC, "Out of coffee...");
Well to sum it up in one sentence. If you eliminate the bogus addresses, you can then target the actual zombie machines used to attack the site and eventually eliminate the risk via patching or null route them. So filtering bogus addresses, non-routable addresses, and the addresses, which do not belong to your net blocks, would serve to combat the denial of service attacks. Bill Larson Network Administrator, Compu-Net Enterprises Local: (931) 920-0043 Toll free: (877) 920-1429 ----- Original Message ----- From: "Rob Thomas" <robt@cymru.com> To: <nanog@merit.edu> Sent: Thursday, July 12, 2001 12:03 PM Subject: Re: DDOS prevention offensive.
] Discuss the effect that wide spread filtering against spoofed ] addresses would have on the current number of DDOS attacks.
I performed a statistical analysis of a collection of log files from one oft-targeted site. The data therein revealed that 68% of all the naughty packets contained obviously bogon source addresses (e.g. 127/8).
I wouldn't extrapolate this analysis to fit all sites. I see more than enough DoS attacks were the source is not spoofed. I do think such filtering would go a long way towards mitigating DDoS attacks.
-- Rob Thomas http://www.cymru.com/~robt cmn_err(CE_PANIC, "Out of coffee...");
On Thu, 12 Jul 2001, Bill Larson wrote:
Well to sum it up in one sentence. If you eliminate the bogus addresses, you can then target the actual zombie machines used to attack the site and eventually eliminate the risk via patching or null route them. So filtering bogus addresses, non-routable addresses, and the addresses, which do not belong to your net blocks, would serve to combat the denial of service attacks.
I believe the attacks in question are actually non-spoofed. It's getting the source networks to remove the boxes that is the problem. Most of them are .edu. -- Jason Slagle - CCNP - CCDP Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . Interim Team Lead - . Admin - X - NO HTML/RTF in e-mail . Coders . wombat.dal.net / \ - NO Word docs in e-mail . Team Lead - Exploits . DALnet IRC Network
On Thu, 12 Jul 2001, Bill Larson wrote:
Well to sum it up in one sentence. If you eliminate the bogus addresses, you can then target the actual zombie machines used to attack the site and eventually eliminate the risk via patching or null route them. So filtering bogus addresses, non-routable addresses, and the addresses, which do not belong to your net blocks, would serve to combat the denial of service attacks.
I'm going to go way out on a limb here and say: 1) I would prefer all attacks use spoofed sources (cause I can track it across my net in 2 minutes) 2) So what if you track it back to 8000 compromised windows machines?? what are you going to do? Ok, that said, think about this: Today we have 1 or 2 or 3 spoofing boxes per attack (on average), if there are 8000 IIS boxes pinging one 64k ping per second you can really rack up the bandwidth fast. There is a list of 8800 hosts on attrition.org that could very easily be used in this manner. Do not believe that stopping spoofed sources will magically make DoS or DDoS go away, it won't. The only thing stopping spoofed packets will do is shift the attacks to larger networks of machines controlled through more intelligent channels... -Chris
To clarify, what I intended to say was if you filter all the IP addresses that do not belong to you from the Ethernet side of your routers outgoing traffic. The problems with spoofed or bogus IP addresses coming from your net blocks go away. If all Internet connected entities did this then this would make it possible to find and get the systems administrators to have the zombies patched failing that the zombie machines could be null routed. This would also assist in tracking down hackers, port scanners, and other criminal types who currently have free reign over your network with spoofed addresses. Bill Larson Network Administrator , Compu-Net Enterprises Local: (931) 920-0043 Toll free: (877) 920-1429 ----- Original Message ----- From: "Rob Thomas" <robt@cymru.com> To: <nanog@merit.edu> Sent: Thursday, July 12, 2001 12:03 PM Subject: Re: DDOS prevention offensive.
] Discuss the effect that wide spread filtering against spoofed ] addresses would have on the current number of DDOS attacks.
I performed a statistical analysis of a collection of log files from one oft-targeted site. The data therein revealed that 68% of all the naughty packets contained obviously bogon source addresses (e.g. 127/8).
I wouldn't extrapolate this analysis to fit all sites. I see more than enough DoS attacks were the source is not spoofed. I do think such filtering would go a long way towards mitigating DDoS attacks.
-- Rob Thomas http://www.cymru.com/~robt cmn_err(CE_PANIC, "Out of coffee...");
participants (5)
-
Bill Larson
-
Christopher L. Morrow
-
Jason Slagle
-
Joseph T. Klein
-
Rob Thomas