Firewall Wizards mailing list archives
Re: DDOS Countermeasures RFC
From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 31 Jan 2001 09:55:38 -0700 (MST)
On Wed, 31 Jan 2001, Gary Flynn wrote:
Spoofing only makes it harder to find the source. If there are hundreds or thousands of compromised boxes in a similar number of different organizations, its still going to take time to track down the sources and/or filter the offending addresses.
My comments are based on the premise that it will never be possible to prevent machines getting owned, and being used to attack you in a DDoS manner. At least, I believe the task of getting all machines secure is much, much harder than getting network admins to stop spoofing. So, that would make your best course of action be to track down the offenders, and deal with it that way. That's what has to be done now, with the added difficulty that you have to track down spoofed source addresses. Plus, we've needed antispoofing in place for years. It's just with the advent of DDoS attacks that we really, really need it.
Since the addresses aren't spoofed, I guess you could immediately filter them but the effects on the filters on processor utilization may in itself cause a DOS or at least degradation. Not sure. Probably depends a lot on topology, type and frequency of packets, line speed, and the device doing the filtering. There is also the matter of entering a thousand attacking IP addresses into the filter database :)
To be sure, even with the right IP addresses to block, you still have to have a very understanding ISP. But I imagine most ISPs would be much more capable of blocking a list of real IPs that they would at tracking down spoofed IPs across the world. Ryan _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 31)
- <Possible follow-ups>
- Re: DDOS Countermeasures RFC Gary Flynn (Jan 31)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 31)
- RE: DDOS Countermeasures RFC jan (Jan 31)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 31)
- Re: DDOS Countermeasures RFC TC Wolsey (Feb 03)
- Re: DDOS Countermeasures RFC jan (Jan 31)
- Re: DDOS Countermeasures RFC daN. (Jan 31)
- RE: DDOS Countermeasures RFC Ryan Russell (Jan 31)