Re: Level3 routing issues?

[Iljitsch van Beijnum <iljitsch () muada com>]

On Sat, 25 Jan 2003, K. Scott Bethke wrote:

> > Keep in mind that these problems aren't from 'well behaved' hosts, and
> > 'well behaved' hosts normally listen to ECN/tcp-window/Red/WRED....
> > classic DoS attack scenario. :(

> I understand the evils, but are we really at the mercy of situations like
> this?  Of course we can firewall the common sense things ahead of time,

I don't think this one could have been reasonably firewalled using a
non-stateful firewall (such as a simple router access list): the port is
unpriviliged so it will be used as a source port for regular UDP traffic
such as DNS queries. However, rate limiting UDP would have helped. This
is a reasonable thing to do for customers that have a lot of bandwidth
but don't run high-bandwidth UDP protocols.

> we can jump right in and block evil traffic when it happens, after it takes
> down our network but what sorts of things can we design into our networks
> today to help with these situations?

Rate limit everything you can rate limit, make sure your routers and
switches have enough CPU even if interfaces are saturated with
minimum-sized packets to random destinations. But this type of rDOS
(reversed denial of service) is easy: you can simply filter the
offending systems. If it's the other way around (DOS) there is not much
you can do.

To really solve this we need a mechanism for destination hosts to
authorize source hosts to send data in such a way that intermediate
routers/firewalls can check this authorization and drop unauthorized
packets.