Penetration Testing mailing list archives

Re: DoS/DDoS Attack

From: Rogan Dawes <discard () dawes za net>
Date: Mon, 17 Jan 2005 17:33:24 +0100

Steven wrote:

Would it not be safe to say that a large amount of this issue could bemitigated if ISPs and/or those links above them took a more responsibleapproach to packet handling? Wouldn't the whole issue (problem) ofspoofed packets be handled if they were quashed at the start instead ofthe end? Perhaps I don't understand enough here, but it seems thatinitially routers/switches should have the capability to drop packetsthat could not have originated from their own network. If new equipmenthad the option to enforce this or had it automatically built in, wouldthis not severely mitigate some of this issue? Is there a reason whyspoofed packets should be able to make their way off a LAN and acrossthe world?
Perhaps this would only hold up so long until someone decided to makeall DDoS spoof the packet from the same network but just a differenthost address. Then maybe it would be possible to have the first routercheck if the source address of the packet exactly matches where it isactually coming from some how and not just that the network is valid.
Perhaps I just have a weak understanding of how this works and it cannotbe solved so easily, but it appears that if that "some" of this is notso hard to stop. If what I have proposed is possibly and not beingimplemented on a wide scale, then why isn't it?
Steven

What you are talking about is called (in Cisco terms, anyway) ReversePath Forwarding, and, in my opinion, should be used by ALL ISP's ontheir access routers. Basically, if the router receives a packet, andits routing tables do not show a return path going out the sameinterface it came in on, it drops the packet.

Unfortunately, it is not feasible to use something like this on internalrouters, because it fails wherever asymmetric routing is being used. Butfor the first hop from the customer to the ISP, I think that it isentirely feasible to enable something like this.


For details, see http://www.cisco.com/warp/public/707/21.html#anti_spoofing

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

Current thread:

DoS/DDoS Attack, (continued)
- - - DoS/DDoS Attack Faisal Khan (Jan 14)
    - Re: DoS/DDoS Attack Nazareno Vicente Feito (Jan 14)
    - Message not available
    - Re: DoS/DDoS Attack seditiosus (Jan 14)
    - Re: DoS/DDoS Attack Steve Friedl (Jan 15)
    - Re: DoS/DDoS Attack Alexander Klimov (Jan 15)
    - RE: DoS/DDoS Attack Alex R (Jan 15)
    - RE: DoS/DDoS Attack Edward Sohn (Jan 14)
    - Message not available
    - RE: DoS/DDoS Attack Faisal Khan (Jan 15)
    - Re: DoS/DDoS Attack Erik A. Onnen (Jan 17)
    - Re: DoS/DDoS Attack Steven (Jan 17)
    - Re: DoS/DDoS Attack Rogan Dawes (Jan 17)
    - RE: DoS/DDoS Attack Jerry Shenk (Jan 20)
    - Re: DoS/DDoS Attack Barrie Dempster (Jan 20)
    - Re: DoS/DDoS Attack Peter Van Epp (Jan 14)
    - Re: DoS/DDoS Attack Rainer Duffner (Jan 14)
    - RE: Windows based DoS Tools? Jerry Shenk (Jan 11)
    - RE: Windows based DoS Tools? mike (Jan 11)
    - Re: Windows based DoS Tools? Matt Bellizzi (Jan 11)
    - Re: Windows based DoS Tools? Thomas F. Parham Jr. (Jan 11)