DNS issues various

• Previous message (by thread): DNS issues various
• Next message (by thread): DNS issues various
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 24, 2002 at 04:02:09PM -0500, Rob Thomas wrote:
> 
> Hi, NANOGers.
> 
> ] I assert this is not the case. A significant percentage of DDoS attacks use
> ] legitimate source IP addresses. When there are thousands of throw-away hosts
> 
> I track several botnets per week, and a large amount of DDoS per week.
> Only around 20% (or a bit less) of all the attacks I log use spoofed
> source addresses.
> 
> Does anti-spoofing help?  Yes.  It is but one of many mitigation
> strategies.

I don't know what botnets you look at, but I wouldn't go that far.

Of course stopping spoofing will not solve everything, but is does and 
will make a huge impact on DoS mitigation and tracing.

The problem now is that noone "knows" for certain if the attack they're
tracing is spoofed or not. With a random source syn flood, you know it's
spoofed. With an attack which is spoofing a legit-looking address that is
completely unrelated to the attacker, you don't. Most people who report 
DoS (including myself) have been so burned by finding out that legitimate 
looking source address on an attack is infact spoofed (or worse yet that 
an innocent party gets blamed by incompetent admins), they see a DDoS and 
don't even bother. Attackers w/DDoS networks use this to their advantage, 
by mixing spoofed attacks (where they can) with unspoofed attacks (where 
they can't, such as windows machines, boxes where they havn't compromised 
root such as apache worms and the like, and even in rare cases where the 
network is doing their job and ingress filtering), to make it effectively 
impossible to know which hosts to go after.

Tracing down dumb drones with non-spoofed addresses is a LOT easier than
tracking spoofed packets through the network (or worse explaining to other
networks how to do it). Of course, as more and more ingress filtering is
implemented, the attacks will move to "one-off" spoofing, where they spoof
their neighbors address but are still close enough to get through filters,
and incompetent admins go chasing after ghosts. But we'll deal with that
situation when we come to it. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

• Previous message (by thread): DNS issues various
• Next message (by thread): DNS issues various
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]