dsl providers that will route /24

John Payne john at sackheads.org
Thu Mar 29 23:14:08 UTC 2001


On Thu, Mar 29, 2001 at 02:42:29PM -0800, David Schwartz wrote:
> 
> 
> > Thats all well and good if you are going to have someone monitor the logs
> > of these packets 24x7, but if you have a customer get hacked and start
> > spewing shitloads of spoofed sourced packets at various networks (Insert
> > your favorite DDOS Drone here), then the damage is high, immediate, and
> > done by the time you notice it in most cases.
> >
> > Jason
> 
> 	They could do almost exactly the same amount of damage with an unspoofed
> UDP flood and it would still take a human action to stop it. The attack can
> still hop from victim to victim until the problem is stopped at its source.
> The problem still won't get stopped at its source until someone with the
> ability to stop it is summoned and alterted to the problem.

But the *unspoofed* packets are traceable.  The victim can pick up the phone
and call your operations and alert them.

> 	Odds are, an attacker will used spoofed packets if he can. potentially
> spoofed packets will trigger an investigation on my network. An unspoofed
> UDP flood probably won't (especially if it hops from victim to victim).

Some of us that have been flooded don't appreciate playing the odds that the
provider of the flooder will notice.

> 	So if the attacker uses spoofed packets, he may get cut off at the source
> (and the problem actually solved) sooner. On the other hand, unspoofed
> packets will probably trigger a call to the administration of the source
> network faster. Of course, you don't know that attack is unspoofed, so you
> really can't be sure what the source is.

No, but it gives a good indication.  And your NOC can find out if the packets
are actually coming from your customer (unspoofed) or not (spoofed).  If its
unspoofed then we're on the phone to the right people.  If its spoofed, we're
SOL.

> 	The important thing to realize is that neither of these situations is
> ideal. That is, filters don't solve the problem. We need to acknowledge that
> we have a problem and don't have a solution to it. Only then will the
> problem be analyzed, solutions proposed, and implemented.

Filters mean "least damage".

> 	One possibility is a hop-by-hop reverse tracing protocol. Another
> possibility is some form of source authentication. For unspoofed floods, the
> solution may be a way to 'push' a filter up a chain of routers.
> 
> 	I don't know, I'm not smart enough to solve the problem by myself. All I
> can do is keep yelling as loudly as I can that there is a problem and that
> we do need a really good solution.

And until we get a really good solution, a really good workaround is not
letting spoofed packets into your network from your customers.


-- 
John Payne      http://www.sackheads.org/jpayne/    john at sackheads.org
http://www.sackheads.org/uce/                    Fax: +44 870 0547954
        To send me mail, use the address in the From: header




More information about the NANOG mailing list