DDOS prevention offensive.

To move toward a positive direction ...

Discuss the effect that wide spread filtering against spoofed
addresses would have on the current number of DDOS attacks.

Why can't access router vendors be jawboned into providing anti spoofing
filters as a default configuration; or at least automate the process to
eliminate spoofed addresses in the wild?

Have a logo like the good housekeeping seal for networks that filter
on the egress.

As Paul stated, demand it from peers.

It is a pain. If the political will exist, it will be done. If the
PR and marketing folks think it will increase sales, it will be done
a lot faster.

] Discuss the effect that wide spread filtering against spoofed
] addresses would have on the current number of DDOS attacks.

I performed a statistical analysis of a collection of log files
from one oft-targeted site. The data therein revealed that 68%
of all the naughty packets contained obviously bogon source
addresses (e.g. 127/8).

I wouldn't extrapolate this analysis to fit all sites. I see
more than enough DoS attacks were the source is not spoofed. I
do think such filtering would go a long way towards mitigating
DDoS attacks.

Well to sum it up in one sentence. If you eliminate the bogus addresses, you
can then target the actual zombie machines used to attack the site and
eventually eliminate the risk via patching or null route them. So filtering
bogus addresses, non-routable addresses, and the addresses, which do not
belong to your net blocks, would serve to combat the denial of service

Bill Larson
Network Administrator, Compu-Net Enterprises
Local: (931) 920-0043
Toll free: (877) 920-1429

I believe the attacks in question are actually non-spoofed.

It's getting the source networks to remove the boxes that is the
problem. Most of them are .edu.

To clarify, what I intended to say was if you filter all the IP addresses
that do not belong to you from the Ethernet side of your routers outgoing
traffic. The problems with spoofed or bogus IP addresses coming from your
net blocks go away. If all Internet connected entities did this then this
would make it possible to find and get the systems administrators to have
the zombies patched failing that the zombie machines could be null routed.
This would also assist in tracking down hackers, port scanners, and other
criminal types who currently have free reign over your network with spoofed

Bill Larson
Network Administrator , Compu-Net Enterprises
Local: (931) 920-0043
Toll free: (877) 920-1429

I'm going to go way out on a limb here and say:
1) I would prefer all attacks use spoofed sources (cause I can track it
across my net in 2 minutes)
2) So what if you track it back to 8000 compromised windows
machines?? what are you going to do?

Ok, that said, think about this: Today we have 1 or 2 or 3 spoofing boxes
per attack (on average), if there are 8000 IIS boxes pinging one 64k ping
per second you can really rack up the bandwidth fast. There is a list of
8800 hosts on attrition.org that could very easily be used in this
manner. Do not believe that stopping spoofed sources will magically make
DoS or DDoS go away, it won't. The only thing stopping spoofed packets
will do is shift the attacks to larger networks of machines controlled
through more intelligent channels...