nanog mailing list archives
RE: FW: Re: Is there a line of defense against Distributed Reflective attacks?
From: "Ray Burkholder" <ray () oneunified net>
Date: Sun, 19 Jan 2003 13:14:54 -0500
This whole 'Internet Thing' is a one of the wonders of the modern world. A public transport system that has handled growth easily and efficiently for many years. Some people get leisure from it, some make money from it, some do research on it, some communicate on it,.... It is one of the most pervasive things I've seen. Because of the internet's inherent distributed nature, legislation will get you no where, and besides,l legislation is the easy way out, and not very effective at that. Market forces and the golden rule (if that combo actually works, I'd be amazed) should drive the direction of this dynamic animal we call 'The Internet'. If we lived in Nirvana, the Internet would be a beautiful thing. But as we live in reality, we have to take the good with the bad. But overall, I think the Good is winning over the Bad. I say: Cool. Ray Burkholder
-----Original Message----- From: todd glassey [mailto:todd.glassey () worldnet att net] Sent: January 19, 2003 12:02 To: Christopher L. Morrow; Stewart, William C (Bill), RTLSL Cc: nanog () trapdoor merit edu Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? You nor any of the ISP's may like this but the facts of the matter are pretty clean and easily discerned and they all point to the Governance Model for developing and releasing protocols whole cloth on the Internet, no matter what they enable people to do. Its time to take a close accounting of what this "Internet" thing really is and put some stronger legislation in place. Todd Glassey ----- Original Message ----- From: "Christopher L. Morrow" <chris () UU NET> To: "Stewart, William C (Bill), RTLSL" <billstewart () att com> Cc: <nanog () trapdoor merit edu> Sent: Friday, January 17, 2003 6:29 PM Subject: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?On Fri, 17 Jan 2003, Stewart, William C (Bill), RTLSL wrote:-----Original Message----- From: Stewart, William C (Bill), RTLSL Sent: Friday, January 17, 2003 5:35 PM To: 'nanog-post () trapdoor merit edu' Subject: Re: Is there a line of defense against Distributed Reflective attacks? Many of these attacks can be mitigated by ISPs that doanti-spoofingfiltering on input - only accepting packets from userportsSure, but this is a proven non-scalable solution. HOWEVER,filteringas close to the end host is scalable and feasible... do itthere, itmakes MUCH more sense to do it there.that have IP addresses that are registered for that port, and not accepting incoming packets from outside their networkthat claim tobe from inside (except maybe from registered dual-homedhosts.)This cuts down on many opportunities for forgery, and means that SYN Flood attacks have a much more limited set of addresses they can forge (e.g. an attacker or zombie can only impersonate other ips sharing its /24 or /29, so it can'tpretend tobe its victim in a reflection or smurf attack.) That doesn't stop all reflection attacks; a zombie on anetwork thatdoesn't do anti-spoofing can send SYNs to a big server ona networkthat also doesn't anti-spoof, so the server will still SYN-ACKits not the 'server' that needs 'anti-spoof' its the end host, the machine in your livingroom that is on a cable modem for instance... the server in this instance is a simple, innocent, machinedoing itsbusiness.to the victim. This cuts out a lot of potential zombie/server pairs. If the server that's being used for reflection issomeone thevictim would often talk to, that's a problem (you'drather not blockconnections to Yahoo), but if it's someone the victimdoesn't careabout talking to (like router23.example.net) you don'tmind blockingit. (Also, why is router23.example.net SYNACKing somebodyit doesn'tknow?)This is an interesting point. The routers shouldn't reallysyn-ack (inthis example) bgp from 'unknown' places... unless you are aneighboryou get squat, or that would be a nice feature, eh? :) Forsome folks,the problems aren't confined to just bgp, telnet or ssh onrouters arealso problemmatic, vty acl's are important :)But there are probably 20 million web servers or Kazaa orIM clientsoutthere,and probably half of them are on networks that don'tspoof-proof, soblocking those is much tougher than blocking the bigones. And nextstop - reflection attacks using big domain servers...Hmm, I'm not sure, again, that the spoof proof needs to be on the kazaa server network, it needs to be on the network where the originating attacke is, preferrably as close to that hostas possible,like it's default router... Now, the problems with 60million kazaa clients openning the floodgates on you are a whole nother problem :)
Current thread:
- Re: Is there a line of defense against Distributed Reflective attacks?, (continued)
- Re: Is there a line of defense against Distributed Reflective attacks? Steven M. Bellovin (Jan 18)
- Re: Is there a line of defense against Distributed Reflective attacks? Sean Donelan (Jan 18)
- Re: Is there a line of defense against Distributed Reflective attacks? E.B. Dreger (Jan 18)
- Re: Is there a line of defense against Distributed Reflective attacks? Sean Donelan (Jan 18)
- Re: Is there a line of defense against Distributed Reflective attacks? Steven M. Bellovin (Jan 18)
- Re: Is there a line of defense against Distributed Reflective attacks? Sean Donelan (Jan 19)
- RE: Is there a line of defense against Distributed Reflective attacks? Deepak Jain (Jan 19)
- Re: Is there a line of defense against Distributed Reflective attacks? David G. Andersen (Jan 19)
- RE: Is there a line of defense against Distributed Reflective attacks? Deepak Jain (Jan 19)
- Re: Is there a line of defense against Distributed Reflective attacks? David Howe (Jan 20)
- OT: Is there a line of defense against Distributed Reflective attacks? Al Rowland (Jan 20)
- Re: Is there a line of defense against Distributed Reflective attacks? Sean Donelan (Jan 19)
- Re: Is there a line of defense against Distributed Reflective attacks? Steven M. Bellovin (Jan 18)