nanog mailing list archives

Re: Is there a line of defense against Distributed Reflective attacks?

From: "Steven M. Bellovin" <smb () research att com>
Date: Sat, 18 Jan 2003 23:16:59 -0500


In message <Pine.GSO.4.44.0301182004040.16112-100000 () clifden donelan com>, Sean
 Donelan writes:


On Sat, 18 Jan 2003, Steven M. Bellovin wrote:

theory, trace a single packet.  But the real problem with either idea
is this:  suppose that you know, unambiguously and unequivocally, that
750 zombies are attacking you.  What do you do with that information?


The reality is its not 750 zombies, its generally one person controlling
750 zombies attacking you.


Right -- and neither itrace nor hash-based tracing are going to solve 
that:

  3) Find and convict the true attacker


Hash-based trace might help on that, *if* there was recording of the 
packets to the zombies.  But doing that ubiquitously might -- would? -- 
turn the Internet into a surveillance state.

  2) Track and stop DDOS quickly when it does happen


That's the point of pushback.

So how do we
  1) Make end-user systems less vulnerable to being compromised


That's my real goal...

                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com (2nd edition of "Firewalls" book)

Current thread:

Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks?, (continued)
- - - Re: OT: Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Petri Helenius (Jan 23)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Vijay Gill (Jan 22)
    - Re: Streaming Video Bandwidth Requirements, WAS: FW: Re: Is there a line of defense against Distributed Reflective attacks? Numetra (Jan 24)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Damian Gerow (Jan 22)
    - Re: FW: Re: Is there a line of defense against Distributed Reflective attacks? Damian Gerow (Jan 22)
    - ISPs not liable for hostile code sent between users Sean Donelan (Jan 23)
    - Re: ISPs not liable for hostile code sent between users Jack Bates (Jan 23)
- Re: Is there a line of defense against Distributed Reflective attacks? Steven M. Bellovin (Jan 18)
  - Re: Is there a line of defense against Distributed Reflective attacks? Sean Donelan (Jan 18)
    - Re: Is there a line of defense against Distributed Reflective attacks? E.B. Dreger (Jan 18)
- Re: Is there a line of defense against Distributed Reflective attacks? Steven M. Bellovin (Jan 18)
  - Re: Is there a line of defense against Distributed Reflective attacks? Sean Donelan (Jan 19)
    - RE: Is there a line of defense against Distributed Reflective attacks? Deepak Jain (Jan 19)
    - Re: Is there a line of defense against Distributed Reflective attacks? David G. Andersen (Jan 19)
    - RE: Is there a line of defense against Distributed Reflective attacks? Deepak Jain (Jan 19)
    - Re: Is there a line of defense against Distributed Reflective attacks? David Howe (Jan 20)
    - OT: Is there a line of defense against Distributed Reflective attacks? Al Rowland (Jan 20)
- RE: FW: Re: Is there a line of defense against Distributed Reflective attacks? Ray Burkholder (Jan 19)
- Re: Is there a line of defense against Distributed Reflective attacks? Stewart, William C (Bill), RTLSL (Jan 20)