Penetration Testing mailing list archives

Re: DoS/DDoS Attack

From: Barrie Dempster <barrie () reboot-robot net>
Date: Thu, 20 Jan 2005 16:06:19 +0000

On Sat, 2005-01-15 at 12:03 -0500, Steven wrote:

Would it not be safe to say that a large amount of this issue could be 
mitigated if ISPs and/or those links above them took a more responsible 
approach to packet handling?  Wouldn't the whole issue (problem) of spoofed 
packets be handled if they were quashed at the start instead of the end? 
Perhaps I don't understand enough here, but it seems that initially 
routers/switches should have the capability to drop packets that could not 
have originated from their own network.  If new equipment had the option to 
enforce this or had it automatically built in, would this not severely 
mitigate some of this issue?  Is there a reason why spoofed packets should 
be able to make their way off a LAN and across the world?


You understand this fine. It's perfectly acceptable for an ISP to do
this and it's not difficult to implement in their ACLs. Some ISP's do
this already but they are a minority. IMO ISP's should do this as
standard, but most wont.

Perhaps this would only hold up so long until someone decided to make all 
DDoS spoof the packet from the same network but just a different host 
address.  Then maybe it would be possible to have the first router check if 
the source address of the packet exactly matches where it is actually coming 
from some how and not just that the network is valid.


Doesn't matter, if you can track it to the ISP then the ISP techs can
monitor their network and see exactly where it's coming from. You
couldn't bypass the protection in this way as, when you get to the
source ISP, recognising the customer is trivial and then finding the
specific box just takes time.

Perhaps I just have a weak understanding of how this works and it cannot be 
solved so easily, but it appears that if that "some" of this is not so hard 
to stop.  If what I have proposed is possibly and not being implemented on a 
wide scale, then why isn't it?
Steven


Simply because the public mostly doesn't care and the public are the
customers. As more customers have trouble with this then the ISPs
probably will make changes. Until then they don't see this as a
financially beneficial measure.

With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: DoS/DDoS Attack, (continued)
- - - Message not available
    - Re: DoS/DDoS Attack seditiosus (Jan 14)
    - Re: DoS/DDoS Attack Steve Friedl (Jan 15)
    - Re: DoS/DDoS Attack Alexander Klimov (Jan 15)
    - RE: DoS/DDoS Attack Alex R (Jan 15)
    - RE: DoS/DDoS Attack Edward Sohn (Jan 14)
    - Message not available
    - RE: DoS/DDoS Attack Faisal Khan (Jan 15)
    - Re: DoS/DDoS Attack Erik A. Onnen (Jan 17)
    - Re: DoS/DDoS Attack Steven (Jan 17)
    - Re: DoS/DDoS Attack Rogan Dawes (Jan 17)
    - RE: DoS/DDoS Attack Jerry Shenk (Jan 20)
    - Re: DoS/DDoS Attack Barrie Dempster (Jan 20)
    - Re: DoS/DDoS Attack Peter Van Epp (Jan 14)
    - Re: DoS/DDoS Attack Rainer Duffner (Jan 14)
    - RE: Windows based DoS Tools? Jerry Shenk (Jan 11)
    - RE: Windows based DoS Tools? mike (Jan 11)
    - Re: Windows based DoS Tools? Matt Bellizzi (Jan 11)
    - Re: Windows based DoS Tools? Thomas F. Parham Jr. (Jan 11)