Re: Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T

["Alexei Roudnev" <alex () relcom net>]

> Based on recent observations of many folks, "spoofing is out of vogue".
> So much so that some recent discussions I've had with several folks
> lead me to believe that less than 1% of DDOS attacks today employ
> source address spoofing.  As such, the value of techniques such as
> backscatter analysis and traceback decrease as well.
You should be right. If hacker use distributed network of zombie to set up
massive attack, he do not bother
about revealing back address of the packets (you can find a zombied machine,
so what - he have a lot of them);
on the other hand, it is much simpler to program such attack without
frauding src address.

SRC spoofing does not work thru firewalls, and makes zombie detection very
simple on the originating side (for example, we log all
packets with wrong SRC addresses, originated from our network ports in the
INTRANET network).


> I suspect that [at least] the perception of wide-scale BCP 38/uRPF and
> the sheer size and firepower of botnets today has resulted in a very
> significant decline in source-spoofed attacks.  Clever folks actually
> spoof
> within the local (sometimes classful) subnet, making it slightly more
> difficult
> to identify the concerned host (IF your traceback functions ever make
> it to the "true Internet ingress" segment where a host resides, which
> is more often than not unlikely).
>
> I suspect this is largely because we do such a poor job fixing
> compromised hosts that miscreants needn't worry much about losing
> significant portions of their botnets to traceback and cleanup - as
> Rob suggests, they're more concerned with losing them to other
> miscreants.
>
> This is also representative of the inversion in attack methods over the
> past several years (i.e., the inversion from TCP-SYN type stuff to raw
> UDP-fill-the-pipe style attacks).
>
> Nonetheless, ingress filtering certainly helps significantly.
>
> -danny