Penetration Testing mailing list archives
Re: DoS/DDoS Attack
From: Barrie Dempster <barrie () reboot-robot net>
Date: Thu, 20 Jan 2005 16:06:19 +0000
On Sat, 2005-01-15 at 12:03 -0500, Steven wrote:
Would it not be safe to say that a large amount of this issue could be mitigated if ISPs and/or those links above them took a more responsible approach to packet handling? Wouldn't the whole issue (problem) of spoofed packets be handled if they were quashed at the start instead of the end? Perhaps I don't understand enough here, but it seems that initially routers/switches should have the capability to drop packets that could not have originated from their own network. If new equipment had the option to enforce this or had it automatically built in, would this not severely mitigate some of this issue? Is there a reason why spoofed packets should be able to make their way off a LAN and across the world?
You understand this fine. It's perfectly acceptable for an ISP to do this and it's not difficult to implement in their ACLs. Some ISP's do this already but they are a minority. IMO ISP's should do this as standard, but most wont.
Perhaps this would only hold up so long until someone decided to make all DDoS spoof the packet from the same network but just a different host address. Then maybe it would be possible to have the first router check if the source address of the packet exactly matches where it is actually coming from some how and not just that the network is valid.
Doesn't matter, if you can track it to the ISP then the ISP techs can monitor their network and see exactly where it's coming from. You couldn't bypass the protection in this way as, when you get to the source ISP, recognising the customer is trivial and then finding the specific box just takes time.
Perhaps I just have a weak understanding of how this works and it cannot be solved so easily, but it appears that if that "some" of this is not so hard to stop. If what I have proposed is possibly and not being implemented on a wide scale, then why isn't it? Steven
Simply because the public mostly doesn't care and the public are the customers. As more customers have trouble with this then the ISPs probably will make changes. Until then they don't see this as a financially beneficial measure. With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: DoS/DDoS Attack, (continued)
- Message not available
- Re: DoS/DDoS Attack seditiosus (Jan 14)
- Re: DoS/DDoS Attack Steve Friedl (Jan 15)
- Re: DoS/DDoS Attack Alexander Klimov (Jan 15)
- RE: DoS/DDoS Attack Alex R (Jan 15)
- RE: DoS/DDoS Attack Edward Sohn (Jan 14)
- Message not available
- RE: DoS/DDoS Attack Faisal Khan (Jan 15)
- Re: DoS/DDoS Attack Erik A. Onnen (Jan 17)
- Re: DoS/DDoS Attack Steven (Jan 17)
- Re: DoS/DDoS Attack Rogan Dawes (Jan 17)
- RE: DoS/DDoS Attack Jerry Shenk (Jan 20)
- Re: DoS/DDoS Attack Barrie Dempster (Jan 20)
- Re: DoS/DDoS Attack Peter Van Epp (Jan 14)
- Re: DoS/DDoS Attack Rainer Duffner (Jan 14)
- RE: Windows based DoS Tools? Jerry Shenk (Jan 11)
- RE: Windows based DoS Tools? mike (Jan 11)
- Re: Windows based DoS Tools? Matt Bellizzi (Jan 11)
- Re: Windows based DoS Tools? Thomas F. Parham Jr. (Jan 11)