Re: DDOS Countermeasures RFC

[Ryan Russell <ryan () securityfocus com>]

On Wed, 31 Jan 2001, Gary Flynn wrote:

> Spoofing only makes it harder to find the source. If there are
> hundreds or thousands of compromised boxes in a similar number
> of different organizations, its still going to take time to
> track down the sources and/or filter the offending addresses.

My comments are based on the premise that it will never be possible to
prevent machines getting owned, and being used to attack you in a DDoS
manner.  At least, I believe the task of getting all machines secure is
much, much harder than getting network admins to stop spoofing.  So, that
would make your best course of action be to track down the offenders, and
deal with it that way.  That's what has to be done now, with the added
difficulty that you have to track down spoofed source addresses.

Plus, we've needed antispoofing in place for years.  It's just with the
advent of DDoS attacks that we really, really need it.


> Since the addresses aren't spoofed, I guess you could immediately
> filter them but the effects on the filters on processor utilization
> may in itself cause a DOS or at least degradation. Not sure. Probably
> depends a lot on topology, type and frequency of packets, line speed,
> and the device doing the filtering.
>
> There is also the matter of entering a thousand attacking IP addresses
> into the filter database :)

To be sure, even with the right IP addresses to block, you still have to
have a very understanding ISP.  But I imagine most ISPs would be much more
capable of blocking a list of real IPs that they would at tracking down
spoofed IPs across the world.

                                                Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards