engineering --> ddos and flooding
Hey, this is a technical question for all of the Network Engineers/Architects on the list. Has a method been found to stop an incoming attack? Granted you can filter the packets to null on the router, but that doesn't stop them from coming across the wire and into the router. Has a way been devised to stop them from coming into the router; via something like a BGP update to null the packets or what? I'm concerned about a flood that is so massive coming from the core and flooding a small T1 or less. Thanks, Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Development Assistant: Netpath/Stratonet, Inc. (http://www.netpath.net/) Email: dorsett@netpath.net "Learn from the mistakes of others. You won't live long enough to make all of them yourself." -- Unknown "YEEEHA!!! What a CRASH!!!" -- Random System Administrator
There is some work going on in IETF (itrace) to trace these attacks back even w/ spoofed ips, etc.. There are currently no "poison" bgp updates you can send upstream to get them to blackhole the traffic. - Jared On Thu, May 31, 2001 at 05:59:18PM -0400, Andrew Dorsett wrote:
Hey, this is a technical question for all of the Network Engineers/Architects on the list. Has a method been found to stop an incoming attack? Granted you can filter the packets to null on the router, but that doesn't stop them from coming across the wire and into the router. Has a way been devised to stop them from coming into the router; via something like a BGP update to null the packets or what? I'm concerned about a flood that is so massive coming from the core and flooding a small T1 or less.
Thanks, Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Development Assistant: Netpath/Stratonet, Inc. (http://www.netpath.net/) Email: dorsett@netpath.net
"Learn from the mistakes of others. You won't live long enough to make all of them yourself." -- Unknown "YEEEHA!!! What a CRASH!!!" -- Random System Administrator
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
I'm going to reply to my own post here. I am thoroughly impressed. I sent the message out and in 10 minutes I had two replies. Keep the ideas coming, I will form up a general suggestion message and post it later. One thing to think about, I want a way to do it without having to call a NOC like Genuity and asking them to put in a filter, I want a way to do something about it at a lower level. Like multiple connections....Remember NOC calls take time because of hold times... Someone just told me (on here) that the IETF is working on something, anyone know how many more years it will take for that protocol? Thanks again, Andrew At 05:59 PM 5/31/2001, you wrote:
Hey, this is a technical question for all of the Network Engineers/Architects on the list. Has a method been found to stop an incoming attack? Granted you can filter the packets to null on the router, but that doesn't stop them from coming across the wire and into the router. Has a way been devised to stop them from coming into the router; via something like a BGP update to null the packets or what? I'm concerned about a flood that is so massive coming from the core and flooding a small T1 or less.
Thanks, Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Development Assistant: Netpath/Stratonet, Inc. (http://www.netpath.net/) Email: dorsett@netpath.net
"Learn from the mistakes of others. You won't live long enough to make all of them yourself." -- Unknown "YEEEHA!!! What a CRASH!!!" -- Random System Administrator
--- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Development Assistant: Netpath/Stratonet, Inc. (http://www.netpath.net/) Email: dorsett@netpath.net "Learn from the mistakes of others. You won't live long enough to make all of them yourself." -- Unknown "YEEEHA!!! What a CRASH!!!" -- Random System Administrator
On Thu, 31 May 2001, Andrew Dorsett wrote:
I'm going to reply to my own post here. I am thoroughly impressed. I sent the message out and in 10 minutes I had two replies. Keep the ideas coming, I will form up a general suggestion message and post it later. One thing to think about, I want a way to do it without having to call a NOC like Genuity and asking them to put in a filter, I want a way to do something about it at a lower level.
If you think about what you're asking for means operationally, what you want is the ability to get your upstream to allow you to install filters on their routers... That requires a great of deal trust, which is not likely to be forthcoming in the current evironment.
Like multiple connections....Remember NOC calls take time because of hold times... Someone just told me (on here) that the IETF is working on something,
That was Jared
anyone know how many more years it will take for that protocol?
One of the obersevations I would make up you original question is that dos attacks do not in this day and age typically originate in core networks but rather on tens or hundreds or thousands of edge network devices... your upstream is unlikely to have a good handle on the actual source of the attack (which in any case may be several locations) rather it's far more easy to characterize the target (you) and filter on that.
Thanks again, Andrew
At 05:59 PM 5/31/2001, you wrote:
Hey, this is a technical question for all of the Network Engineers/Architects on the list. Has a method been found to stop an incoming attack? Granted you can filter the packets to null on the router, but that doesn't stop them from coming across the wire and into the router. Has a way been devised to stop them from coming into the router; via something like a BGP update to null the packets or what? I'm concerned about a flood that is so massive coming from the core and flooding a small T1 or less.
Thanks, Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Development Assistant: Netpath/Stratonet, Inc. (http://www.netpath.net/) Email: dorsett@netpath.net
"Learn from the mistakes of others. You won't live long enough to make all of them yourself." -- Unknown "YEEEHA!!! What a CRASH!!!" -- Random System Administrator
--- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Development Assistant: Netpath/Stratonet, Inc. (http://www.netpath.net/) Email: dorsett@netpath.net
"Learn from the mistakes of others. You won't live long enough to make all of them yourself." -- Unknown "YEEEHA!!! What a CRASH!!!" -- Random System Administrator
-- -------------------------------------------------------------------------- Joel Jaeggli joelja@darkwing.uoregon.edu Academic User Services consult@gladstone.uoregon.edu PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -------------------------------------------------------------------------- It is clear that the arm of criticism cannot replace the criticism of arms. Karl Marx -- Introduction to the critique of Hegel's Philosophy of the right, 1843.
Steven Bellovin has been doing considerable and valuable work on a method called pushback. You can find a paper on this here: http://www.research.att.com/~smb/papers/pushback-impl.pdf He is a listmember here and one of the real luminaries on IP security issues. Best regards, ==================== Geoff Zinderdine CCNP CCA MCP MTS Communications Inc. ==================== "I'd rather route than switch." ----- Original Message ----- From: "Andrew Dorsett" <zerocool@netpath.net> To: <nanog@merit.edu> Sent: Thursday, May 31, 2001 4:59 PM Subject: engineering --> ddos and flooding
Hey, this is a technical question for all of the Network Engineers/Architects on the list. Has a method been found to stop an incoming attack? Granted you can filter the packets to null on the
router,
but that doesn't stop them from coming across the wire and into the router. Has a way been devised to stop them from coming into the router; via something like a BGP update to null the packets or what? I'm concerned about a flood that is so massive coming from the core and flooding a small T1 or less.
Thanks, Andrew --- <zerocool@netpath.net> http://www.andrewsworld.net/ ICQ: 2895251 Cisco Certified Network Associate Development Assistant: Netpath/Stratonet, Inc. (http://www.netpath.net/) Email: dorsett@netpath.net
"Learn from the mistakes of others. You won't live long enough to make all of them yourself." -- Unknown "YEEEHA!!! What a CRASH!!!" -- Random System Administrator
Hot Diggety! Andrew Dorsett was rumored to have written:
Hey, this is a technical question for all of the Network Engineers/Architects on the list. Has a method been found to stop an incoming attack? Granted you can filter the packets to null on the router,
Part of the problem is that sources can be easily spoofed... or if not spoofed, coming in from so many actual machines at once (DDoS)... or both! Spoofed source is somewhat easier to handle with stuff like shortened timers for holding in an accept queue and constant queue flushes (amongst other techniques such as mathematical algorithms to detect bogus stuff) on a host machine. Mr. Steenbergen outlines a variety of practical approaches that can be done to ward off or minimize the damage of a [D]DoS attack at: http://www.e-gerbil.net/ras/projects/dos/dos.txt Some on victim end, some on ISP end, some on host end, some on network device end, and so forth.
but that doesn't stop them from coming across the wire and into the router. Has a way been devised to stop them from coming into the router; via something like a BGP update to null the packets or what? I'm concerned about a flood that is so massive coming from the core and flooding a small T1 or less.
Someone pointed out an interesting (and detailed) story about a nasty DDoS attack. It's unlike most others because the victim was a technically astute individual and quickly figured out contents of the traffic, the tools used, crafted a response, learned IRC on the fly, and so forth. He's indicated that he's working on a tool called Spoofarino. For the full story behind his detailed post-attack analysis: http://grc.com/dos/grcdos.htm Talks about the attacker, motivations, ISPs' now familiar variety in responses, the government, the law, technical analysis, and some more. That's Steve Gibson of Gibson Research -- should be a familiar name to quite a few folks in the PC industry. While it doesn't really directly answer your question... it's certainly some interesting food for thought. Kind of long reading, but can be read in 15 minutes. :) The story also certainly validates the other points made in this thread: a) the victim, being target of aggregated traffic, is best end to determine source and profile; b) relying on ISP cooperation to trace or stop an attack is difficult at best so any real improvements would need to be done through some protocol extension (or new protocol) to allow an individual to do some sort of end to end tracing or accountability. I, too, am much looking forward to the proposed standards to turn this kind of thing into a non-event. :) -Dan
participants (5)
-
Andrew Dorsett
-
Dan Foster
-
Geoff Z
-
Jared Mauch
-
Joel Jaeggli