Re: Recent Attacks

[Crispin Cowan <crispin () wirex com>]

"Paul D. Robertson" wrote:

> On Thu, 24 Feb 2000, Crispin Cowan wrote:
> > > Long-term there are plenty of ways to protect from DDoS attacks, and some
> > > of them will even work.  It's the short- to mid-term that's the problem.
> > > However, I still think that trying to call network scanners akin
> > > to munitions when VCL isn't is lopsided.  Then again, I think the idiot
> > > who put a programming language into a word processor should be shot.
> >
> > What long term methods would those be?  I have yet to hear a convincing proposal

I'll pick on these piece-wise, to see if we can reduce to a convincing solution.


> Out-of-band control channels,

This doesn't defend against DDoS attacks that are data requests instead of control
packets.


> end-to-end QoS,

Also won't stop attackers from flooding your pipe with requests.  In fact, it may
make it worse, as the attackers could spoof data requests that result in QoS
bandwidth allocations to spoofed clients, further choking the server's bandwidth.
QoS will have to be carefully tied to authentication, or else it just makes DDoS much
worse.


> traffic flow-based routing/flood control protocols,

I don't think I understand this proposal.


> authenticated gatewaying and/or redirection, authenticated routing,

All the authentication schemes have two problems:

   * you need a global PKI that works for everyone, which is, er, problematic :-)
   * it does not stop an attacker from flooding a machine with packets that fail
     authentication.  Authenicated routing moves the probelm up-stream, which only
     helps somewhat

> slow-start egress routing,

This needs to be globally deployed to be effective.  It is more or less equivalent to
saying "secure all Internet nodes", because the attacker could compromise an inside
node, and use it to change the egress filtering policy.

> upstream artificial clocking,

I don't understand this proposal.

So of the proposed solutions, I see some that won't work, some that will mitigate the
solution but not solve it, and some that I don't understand (my bad).  I have not yet
seen a complete solution that I understand.  The "I don't understand" ones are
largely lack of familiarity; I haven't read the proposals that Paul is referring to.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
                  JOBS!  http://immunix.org/jobs.html