NANOG Digest V1 #781

Simon Waters Simon at wretched.demon.co.uk
Fri Jul 13 01:11:32 UTC 2001


> I'm going to go way out on a limb here and say:
> 1) I would prefer all attacks use spoofed sources (cause I can track it
> across my net in 2 minutes)

Perhaps you could enlighten me further on this - if this is
a naive question off list.

> Ok, that said, think about this: Today we have 1 or 2 or 3 spoofing boxes
> per attack (on average), if there are 8000 IIS boxes pinging one 64k ping
> per second you can really rack up the bandwidth fast.

I don't think this is an issue. If by being able to notify
the admin of a few boxes being used in a nonspoofed DDoS
attack, we raise the bar so that larger networks must be
used, we have gained real ground in the battle.

Security isn't normally about absolutes, if you make
something harder, without increasing the rewards less rats
will do it.

We need to be able to trust source IP addresses, before we
can even conceive of a system that would permit mailing 8000
administrators to say 'Your box is owned'. Or implement some
sort of system to pass the word to peers or transit
providers that a particular source should be stopped before
it reaches the boundaries of our own networks.

Similarly if you want to track down the people who
perpetrate the attacks (I'm not convinced this will stop as
many as some people think), knowing the source IP is
reliable must make life easier. If I had a set of bots, and
could control them with spoofed UDP packets, or unspoofed
TCP connections, which do you think I'd use?!

Some analogies on the list I think are stretched, which is
why I think that tracking down perpetrators will be less
effective than others have suggested.

1. 7-11 analogy - the real reason people don't rob 7-11s a
lot more is that they don't have any real money - the big
criminals rob richer places, only the druggies rob 7-11's.
This breaks down in DDoS as we can use all those 7-11's to
help blackmail the bank.

2. Safe to leave your car unlocked in the street - It is
fine to leave your car unlocked in my street. Indeed on one
occaison I left the front door open, and came home to find
the neighbours had shut it for me as they were "concerned".
On the Internet you are less than a few seconds away from
even the remotest corner, so your definitely in a cross
between the dodgier parts of LA, a Johannisburg slum, and
the Lebanon.

Yes prosecutions for DDoS will discourage script kiddies,
but it won't stop the people with a cause, or countries your
country is at war with, or worse countries who are at war
with countries who host their sites with you, or hundred of
other groups. Thus prosecution may be part of the solution,
but "technical" solutions will still be required, and
stopping spoofing is probably a first step in the right
direction to provide some of these.

-- 
Are you using the Internet to best effect ?
www.eighth-layer.com
Tel: +44(0)1395 232769      ICQ: 116952768
Moderated discussion of teleworking at
news:uk.business.telework



More information about the NANOG mailing list