RE: no ip forged-source-address

H_Michael_Smith_Jr · October 30, 2002, 10:58pm

A fundamental effect of spoofing addresses from your local subnet is
that when the packets reach their target, the source addresses are
meaningful. I realize that the traceability of these packets has
already been mentioned, but I want to point out the profound difference
between a DDoS attack with meaningful vs. meaningless source addresses.

Christopher_L_Morrow · October 31, 2002, 6:21am

I'm confused.. its still a DoS attack, eh??

Valdis_Kletnieks · October 31, 2002, 6:36am

It's the difference between:

A) Going out to your car at the end of a too-long day and finding a
broken taillight.

B) Going out to your car at the end of a too-long day and finding a
broken taillight and a business card under the windshield wiper that
has "Sorry - call me and I'll pay for it" written on the back.

Christopher_L_Morrow · October 31, 2002, 6:46am

I think the spoofed source filtering is more a red-herring than anything
else. Its not the fix for anything related to this problem of attacks on
the internet. Spoofed or non, I can forward 1,000,000pps at your network and
it will die (most times).

This is like trying to fix a rotten decayed tooth with trident.

Hank_Nussbacher · October 31, 2002, 6:47am

It is better than not having it but we should not get our hopes up that DOS attacks would stop. Remember when 60% of the Internet mail servers were open mail relays? We all thought closing them up would stop spam. Today it is less than 1% but I would say that the amount of spam has not dropped proportionality. See:
http://www.nwfusion.com/columnists/2002/1014buzz.html
for reference.

-Hank

Charles_D_Hammonds · October 31, 2002, 6:56am

analogy games are fun, but it boils down to this... If I know the real
source of an attack, I can stop it within minutes. I'm sure that my
customers appreciate that fact. Noone will ever completely stop attacks, the
point is to minimize their impact. that is my concern as a service provider.
also, from the victim's perspective, you have someone to hold accountable.

Charles

Christopher_L_Morrow · October 31, 2002, 7:07am

analogy games are fun, but it boils down to this... If I know the real
source of an attack, I can stop it within minutes. I'm sure that my
customers appreciate that fact. Noone will ever completely stop attacks, the
point is to minimize their impact. that is my concern as a service provider.
also, from the victim's perspective, you have someone to hold accountable.

again, spoofed or non, at the egress to the customer you just need to make
the traffic stop. Whether they are spoofed isn't an issue.

Sean_Donelan · October 31, 2002, 7:14am

I think the spoofed source filtering is more a red-herring than anything
else. Its not the fix for anything related to this problem of attacks on
the internet. Spoofed or non, I can forward 1,000,000pps at your network and
it will die (most times).

I agree, but

This is like trying to fix a rotten decayed tooth with trident.

Wouldn't you rather the dentist know which tooth to drill, instead of
randomly drilling all of of your teeth hoping to get the cavity?

I can pretty much predict, after source address validation becomes
widely used someone will come up with the idea of blackholing attacking
hosts. Of course, since many of these systems use DHCP, the zombies will
just release and get new addresses.

Bandy_Rush1 · October 31, 2002, 1:22pm

analogy games are fun, but it boils down to this... If I know the real
source of an attack, I can stop it within minutes.

the real source of the attack is the skript kitty who zombied the 10,000
hosts which are sourcing packets at you. the intermediate sources are the
10,000 zombies, and trying to deal with them at the source just does not
scale. though i sympathize with the frustration the attack victim feels,
i find the net.vigilanteeism amusing at best and misdirecting of people's
efforts at worst. the places where the counter-attack is scalable are
at the real perp and at the attacked site. finding the former is still
a matter of research. the known scalable counter to the latter is still
<http://nanog.org/mtg-0102/bellovin.html>.

randy

Dave_Howe · October 31, 2002, 1:38pm

at Thursday, October 31, 2002 1:22 PM, Randy Bush <randy@psg.com> was
seen to say:

analogy games are fun, but it boils down to this... If I know the
real source of an attack, I can stop it within minutes.

the real source of the attack is the skript kitty who zombied the
10,000 hosts which are sourcing packets at you. the intermediate
sources are the 10,000 zombies, and trying to deal with them at the
source just does not scale.

really you only need four or five though - if you can monitor the tcp/ip
links each have, you should find a common node that is the control node
(assuming the current situation where the bots remain connected during
the attack; a simple change could alter this to disconnect immediately
after orders are issued and not reconnect for a random time spanning
hours or days, but even then, unless the kiddie wishes to discard his
entire botnet after a single attack, they should eventually reconnect to
a control channel (probably an irc channel or similar) - at least
theoretically, an irc server network could be tapped to determine who is
the controller in a bot room, or the bot room could be discontinued
(which again, would only halt the current state of the art; the bots
could easily have a different network or a distributed networking
capability to recover the botnet after loss of a control room; actually,
I would be surprised if bots didn't already have some similar provision
now)