Proposal for mitigating DoS attacks

Jeff Aitken jaitken at
Sat Jul 10 19:40:34 UTC 1999

Alex.Bligh writes:
> A discussion on Route Filtering
> ===============================
> This proposal does not invalidate the concept
> of route filtering. In fact it is vital that
> the same level of filtering is applied to
> Victim Routes as to the superblock in which
> they reside; elsewise they could themselves
> be used by irresponsible people as a Denial
> of Service attack. The same technology that
> currently ensures ISP's do not lose connectivity
> to their customers by accepting similar routes
> from their peers can be used to filter acceptance
> of Victim Routes.

This is certainly an interesting proposal.  However, I have a
concern related to the excerpt above.  Considering smurf-like 
attacks, the involved parties typically include:

1. Attacker's upstream(s).
2. Amplifiers.
3. Victim's upstream(s).
4. Victim.

Given the "distributed" nature of the attack, parties #1 and #2 tend
to see only marginal increases in traffic.  Party #3 may see a moderate
to heavy increase, but if they maintain sufficient headroom on their
network, it may not be enough to matter (or even be noticed).  By far
the most dramatic difference is seen by party #4, the victim himself.

Your proposal, assuming it could be consistently and properly
implemented, might certainly improve the situation for parties #3 and
#4.  However, it may open other, previously uninvolved parties to a new
form of attack: if I as an attacker can find a way to generate
thousands of these "victim" routes, I can affect a very potent DoS
against core routers all over the Internet.  Do the benefits to parties
#3 and #4 outweigh the newly-created risk that affects everyone?

For example, what happens when there is a breakdown in route filtering
and someone manages to slip in a few hundred victim routes that just so
happen to match the IPs in use at the major exchange points?  ;-)

The more I think about it, the more problems I see.  Smurf attacks
are possible because thousands of people can't disable directed
broadcasts on their routers.  This entire approach relies on many of
those same people to perform adequate route filtering to avoid far
worse consequences. :-(


More information about the NANOG mailing list