Re: Stefan Savage : Hacking the TCP stack

["Steven M. Bellovin" <smb () research att com>]

In message <3922AA5C.984EA8A6 () mitre org>, "Frederick N. Chase" writes:
> "R. DuFresne" wrote:
> > Has anyone looked at the work described here:
>
>
>
>
> I've made a pass through the paper by 
> Savage,  Wetherall,  Karlin and  Anderson, 
> which can be found at: 
> http://www.cs.washington.edu/homes/savage/traceback.html.
>
>
> IMHO (which is not necessarily that of my employer),
> This is by far the most promising thing that's surfaced to date
> for addressing distributed denial-of-service.
> --It can be implemented without waiting for IPv6.
> --It can be phased in in a practical way.
> --It promises an effective solution to the first phase of traceback:
>  finding the agent/daemon/zombies which are
>  emitting the volumes of packets.
>
> The paper appears to be quite objective as to what can be expected.
>
> I think this should be given immediate thorough consideration
> by ISPs and router vendors.

First, IPv6 does nothing to address DDoS attacks.  Second, there are a 
number of limitations to Savage's scheme (and at least two similar 
schemes that assorted folks are working on):  they don't work with 
fragments, they don't work if AH is used (they diddle a field that AH 
protects), and they don't work with IPv6 (because there is no Id field 
in IPv6).  

For an alterative, see
http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt
(also in your favorite Internet drafts directory).  There was a BoF on 
it at the last IETF meeting; I expect that there will be a working 
group by the next meeting.  To join the mailing list, send a note to 
majorodomo () research att com with 'subscribe ietf-itrace' as the body.


                --Steve Bellovin