nanog mailing list archives
Re: New Internet-draft on DDOS defense...
From: "Brett Frankenberger" <rbf () rbfnet com>
Date: Thu, 11 May 2000 18:10:13 -0500
----- Original Message ----- From: Vipul Shah <svipul () novell com>
I'd like to bring your attention to a recent Internet-draft. The URL
is:
http://www.ietf.org/internet-drafts/draft-vshah-ddos-smurf-00.txt This draft proposes a specific (simple) change to RFC1122 which would help reduce the use of Smurf amplification in DDOS attacks. This is augments ingress filtering; it is designed specifically for the case where the attacker (source) is using broadcast on the local LAN as part of a DDOS attack. This is a case where ingress filtering does not help.
The proposal suggests that hosts not respond to ICMP Echo broadcasts if
the source address is not within the same subnet as the workstation.
The rational is that even with "no ip directed-broadcast" (or it's
equivalent on non-Cisco routers), smurf attacks can still be launched by
a local machine on the local subnet (provided that there are no filters
in place to prevent forged source-addresses from that subnet).
Such an attack would only be useful where the aggregate bandwidth to the
Internet from the subnet of the compromised host is signifigantly larger
than the aggregate bandwidth to the Internet from the compromised host
itself. In the traditional case of a simple shared media ethernet, this
is obviously not the case -- rather than launching a "local smurf"
attack to generate 10Mbps worth of flooding, the attacker could simply
have the local machine generate 10 Mbps worth of flooding. In modern
networks, a switch of some sort is likely to be involved, so there is
some potential for amplification. However, given that the individual
devices in such an environment are likely to be attached with a minimum
of 100 Mbps Ethernet (and, assuming they are running a reasonable IP
stack, they should then be able to generate a minimum of, say, 80Mbps of
flooding), the cases where a "local smurf" would be beneficial to an
attacker are limited to sites with switched ethernet and OC-3 or better
connectivity. Experience has shown that such sites are not generally
problematic smurf amplifiers. (OC-3 is actually just a low end number.
Given that any such site is likely to have a lot of other traffic
competing for bandwidth, I think 25% is a good high end number for
maximum amplication effect you'd get. You'll need OC-12 or higher for
any serious level of amplification.)
I think the exposure that you seek to eliminate here is not an exposure
that is large enough to justify changing the behavior of host IP stacks.
-- Brett
Current thread:
- New Internet-draft on DDOS defense... Vipul Shah (May 10)
- Re: New Internet-draft on DDOS defense... Paul Ferguson (May 11)
- Re: New Internet-draft on DDOS defense... Daniel Senie (May 11)
- Re: New Internet-draft on DDOS defense... Paul Ferguson (May 11)
- Re: New Internet-draft on DDOS defense... Daniel Senie (May 11)
- Re: New Internet-draft on DDOS defense... Brett Frankenberger (May 11)
- Re: New Internet-draft on DDOS defense... Paul Ferguson (May 12)
- <Possible follow-ups>
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 11)
- Re: New Internet-draft on DDOS defense... Brandon Ross (May 11)
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 11)
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 12)
- Re: New Internet-draft on DDOS defense... Jerry Scharf (May 12)
- Re: New Internet-draft on DDOS defense... Brandon Ross (May 12)
- Re: New Internet-draft on DDOS defense... Steven M. Bellovin (May 12)
- Re: New Internet-draft on DDOS defense... Owen DeLong (May 12)
- Re: New Internet-draft on DDOS defense... Vipul Shah (May 16)
(Thread continues...)
- Re: New Internet-draft on DDOS defense... Paul Ferguson (May 11)