Proposal for mitigating DoS attacks

Aaron Hopkins aaron at
Mon Jul 12 22:20:24 UTC 1999


> Thus an oft-used response to an attack is to block traffic either to, or
> from, particular IP addresses. In the case of attacks involving forged
> source IP addresses, or reflected attacks such as SMURF, the only way to
> easilly block these attacks to prevent collateral damage, is to prevent
> all traffic from reaching the IP address concerned (filtering) until the
> attack has ceased (either as a consequence of a parallel act of tracing,
> or otherwise).

While I like the idea of your proposal, I see it as not working because it
trusts information generated by the attacker that is not necessarily
relevant to the success of the attack.

As I am familiar with it, the smurf is generally successful not by flooding
the target hosts LAN, but rather its upstream network connection. 
Infrastructure to take that one host off of the net quickly isn't going to
help if its network thats being attacked.  If this proposal becomes widely
accepted, it will only succeed in getting someone to modify the exploit to
allow the attacker to input a netmask, randomly flooding every IP sharing
the same link.  The effect will basically be the same, as far as I can tell.

The information that you can trust is that your attacker will cause large
quantities of ICMP echo-reply (or sometimes UDP) packets to enter your
network from amplifier source addresses.  The options I see are to either:

- - Rate-limit or block ICMP echo-reply traffic, as close to the source as
  possible.  This may be only at your network ingress, but it might be
  interesting to see if the backbones really need to allow more than 5-20%
  of the bandwidth of any link as ICMP echo-reply.

- - Rate-limit or block traffic from amplifier source addresses.  If a
  significant portion of the 'net were simply unavailable to these networks
  until they turned off directed-broadcast, they would get fixed much
  faster.  A BGP RBL-style feed would be the most easily maintainable, but
  one could even just write a script to take the top 100 off of
  and add them access-lists.

                   Aaron Hopkins
                   aaron at 
                   Chief Technical Officer, Cyberverse Inc.

Version: 2.6.2


More information about the NANOG mailing list