Re: New Internet-draft on DDOS defense...

[Daniel Senie <dts () senie com>]

Paul Ferguson wrote:
> How is this substantially different than RFC2644, "Changing
> the Default for Directed Broadcasts in Routers"?
>
>   http://www.ietf.org/rfc/rfc2644.txt
>
> - paul

He's suggesting a change in host stacks to not respond to
broadcast/multicast ICMP ECHO packets which originate outside of the
local IP subnet(s) known to a host's local interface(s).

I have some concerns with this draft. The proposed change does lower the
risk of damages if one system on a shared-media LAN is compromised, but
only for this one type of attack. It seems to me it'd be possible to
generate other types of packets which are broadcast/multicast which
could elicit an ICMP response, and such attacks are not something which
can be cured without breaking a lot of functionality. While ICMP ECHO
packets are a preferred mechanism today, they're far from the only types
of packets which are problematic.

Where RFC2644 prevents ALL types of directed broadcast traffic, this
draft will only have a useful impact on ICMP ECHO, and only in a limited
case. I have to question whether there's sufficient benefit here to
warrant opening up the IP stacks on end stations.

An alternative to the suggested approach is the use of packet filters on
end stations. For example, with Linux systems (and probably others)
ipchains can be used to filter the types of traffic a host will respond
to, regardless of what a border router or firewall ahead of it allows. I
generally advocate the use of such facilities where possible as it adds
an extra line of defense.

Rate limiting of certain types of traffic (e.g. ICMP) is also a way to
address the type of problem this draft is concerned with, and again is
capable of addressing all ICMP, rather than just ICMP ECHO/ECHO REPLY.

Overall impression of the draft: not a terrible idea, but unclear if
it's sufficiently beneficial to warrant the effort to implement.

Dan

> At 10:13 PM 05/10/2000 -0600, Vipul Shah wrote:
>
> > Hi All,
> >
> > I'd like to bring your attention to a recent Internet-draft.  The URL is:
> >
> > http://www.ietf.org/internet-drafts/draft-vshah-ddos-smurf-00.txt
> >
> > This draft proposes a specific (simple) change to RFC1122 which would
> > help reduce the use of Smurf amplification in DDOS attacks.  This is
> > augments ingress filtering; it is designed specifically for the case
> > where the attacker (source) is using broadcast on the local LAN as
> > part of a DDOS attack.  This is a case where ingress filtering does
> > not help.
> >
> > We are proposing that it be an addition to the standard set by
> > RFC1122.  We'd very much like to hear comments from people on this draft.
> >
> > Vipul


-- 
-----------------------------------------------------------------
Daniel Senie                                        dts () senie com
Amaranth Networks Inc.                    http://www.amaranth.com