dsl providers that will route /24

Thu Mar 29 22:42:29 UTC 2001


> Thats all well and good if you are going to have someone monitor the logs
> of these packets 24x7, but if you have a customer get hacked and start
> spewing shitloads of spoofed sourced packets at various networks (Insert
> your favorite DDOS Drone here), then the damage is high, immediate, and
> done by the time you notice it in most cases.
>
> Jason

	They could do almost exactly the same amount of damage with an unspoofed
UDP flood and it would still take a human action to stop it. The attack can
still hop from victim to victim until the problem is stopped at its source.
The problem still won't get stopped at its source until someone with the
ability to stop it is summoned and alterted to the problem.

	Odds are, an attacker will used spoofed packets if he can. potentially
spoofed packets will trigger an investigation on my network. An unspoofed
UDP flood probably won't (especially if it hops from victim to victim).

	So if the attacker uses spoofed packets, he may get cut off at the source
(and the problem actually solved) sooner. On the other hand, unspoofed
packets will probably trigger a call to the administration of the source
network faster. Of course, you don't know that attack is unspoofed, so you
really can't be sure what the source is.

	The important thing to realize is that neither of these situations is
ideal. That is, filters don't solve the problem. We need to acknowledge that
we have a problem and don't have a solution to it. Only then will the
problem be analyzed, solutions proposed, and implemented.

	One possibility is a hop-by-hop reverse tracing protocol. Another
possibility is some form of source authentication. For unspoofed floods, the
solution may be a way to 'push' a filter up a chain of routers.

	I don't know, I'm not smart enough to solve the problem by myself. All I
can do is keep yelling as loudly as I can that there is a problem and that
we do need a really good solution.

	DS