Firewall Wizards mailing list archives
Re: Stefan Savage : Hacking the TCP stack
From: "Steven M. Bellovin" <smb () research att com>
Date: Thu, 18 May 2000 19:46:29 -0400
In message <3922AA5C.984EA8A6 () mitre org>, "Frederick N. Chase" writes:
"R. DuFresne" wrote:Has anyone looked at the work described here:I've made a pass through the paper by Savage, Wetherall, Karlin and Anderson, which can be found at: http://www.cs.washington.edu/homes/savage/traceback.html. IMHO (which is not necessarily that of my employer), This is by far the most promising thing that's surfaced to date for addressing distributed denial-of-service. --It can be implemented without waiting for IPv6. --It can be phased in in a practical way. --It promises an effective solution to the first phase of traceback: finding the agent/daemon/zombies which are emitting the volumes of packets. The paper appears to be quite objective as to what can be expected. I think this should be given immediate thorough consideration by ISPs and router vendors.
First, IPv6 does nothing to address DDoS attacks. Second, there are a number of limitations to Savage's scheme (and at least two similar schemes that assorted folks are working on): they don't work with fragments, they don't work if AH is used (they diddle a field that AH protects), and they don't work with IPv6 (because there is no Id field in IPv6). For an alterative, see http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt (also in your favorite Internet drafts directory). There was a BoF on it at the last IETF meeting; I expect that there will be a working group by the next meeting. To join the mailing list, send a note to majorodomo () research att com with 'subscribe ietf-itrace' as the body. --Steve Bellovin
Current thread:
- Re: Stefan Savage : Hacking the TCP stack Steven M. Bellovin (May 19)