nanog mailing list archives
Re: Is there a line of defense against Distributed Reflective attacks?
From: Kurt Erik Lindqvist <kurtis () kurtis pp se>
Date: Fri, 17 Jan 2003 17:29:44 +0100
Having researched this in-depth after reading a rather cursory articleon the topic (http://grc.com/dos/drdos.htm), only two main methods cometo my mind to protect against it.There are a few more methods, some have already mentioned including something called pushback. Very few solutions, particularly elegant ones are widely deployed today. At some point, sophisticated (or even not so sophisticated) DoS attacks can be hard to distinguish between valid traffic, particularly if widely distributed and traffic is as valid looking as any other bit of traffic.
I have been thinking about this for a while due to a number of reasons. But if we look at the source of the attacks and the effects of the attacks. I would draw the conclusions that
a) Unless we fix the "end-system" faults that are used for exploits, the only way that will scale to handle attacks, is simply to make the victims redundant so that you can loose one and loose service for some customers so that you can provide service for the remaining customers.
b) In the short to medium term, the only strategy that will work is to sacrifice some parts of your service (or host, or customers - depending on your role and the type of attack / victim).
Even with the pushback model, the ordinary users will loose to some extent. So what would be needed would be a model where to loss of bandwidth for end-users are projected to the revenue numbers of the service being attacked. Right?
is a practical solution to an attack of this kind, what prevents its implementation? Lack of awareness, or other?It is still fairly new and not widely deployed. Routers need not only to support it, but also have to be enabled to use it. It is a fairly significant change to the way congestion control is currently done in the Internet and it will take some time before penetration occurs.
Well, you also need to find another "way" (or buffer, or slowdown) to send the traffic, which in a way also is a successful attack.
to launch attacks. Eventually it all boils down to a physical security problem. Pricing models can be used to make it expensive
With physical security I would assume actual physical access to the system. Anything else to me is "logical" or "system" security. Correct?
- kurtis -
Current thread:
- Re: Is there a line of defense against Distributed Reflective attacks?, (continued)
- Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? David G. Andersen (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? Clayton Fiske (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? Haesu (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? Mike Hogsett (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 17)
- Re: Is there a line of defense against Distributed Reflective attacks? Kurt Erik Lindqvist (Jan 19)
- Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 17)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Christopher L. Morrow (Jan 17)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? todd glassey (Jan 19)
- Message not available
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Daniel Senie (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Chris Adams (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? hc (Jan 18)
- Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? John Kristoff (Jan 19)