Proposal for mitigating DoS attacks

Barry Shein bzs at world.std.com
Wed Jul 14 04:56:51 UTC 1999



How outlandish would it be (and I realize it'd have to be done in the
router software and all that implies) to just turn on source routing
on particular types of packets (e.g., ICMP) and, optionally, strip it
as it went out the edge routers? Would this really add all that much
to the total bandwidth?  I haven't looked at the overhead, but with a
max diameter of, say, 16 it'd be 64 (16x4) bytes plus whatever
overhead per (ICMP) packet, and that's pretty much a worst case. Then
packets could be easily analyzed at the target router and immediately
traced right back to the first "responsible" router very near the
source, probably at the origin site in most cases, bypassing any need
to trace in between.

And yes I mean all the time, not just when there's an attack in
progress.

But if it were stripped back to a regular ICMP packet before it went
out, e.g., a customer's T1 it wouldn't impose any burden on the
customer's last mile bandwidth, other than whatever processing is
involved in the router they're attached to, but I'll assume that's
insignificant from the point of view of that customer under normal
conditions.

-- 
        -Barry Shein

Software Tool & Die    | bzs at world.std.com          | http://www.world.com
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD
The World              | Public Access Internet     | Since 1989     *oo*




More information about the NANOG mailing list