Is there a line of defense against Distributed Reflective attacks?

Brad Laue brad at brad-x.com
Fri Jan 17 01:48:03 UTC 2003


Having researched this in-depth after reading a rather cursory article
on the topic (http://grc.com/dos/drdos.htm), only two main methods come
to my mind to protect against it.

By way of quick review, such an attack is carried out by forging the
source address of the target host and sending large quantities of
packets toward a high-bandwidth middleman or several such.

To my knowledge the network encompassing the target host is largely
unable to protect itself other than 'poisoning' the route to the host in
question. This succeeds in minimizing the impact of such an attack on
the network itself, but also acheives the end of removing the target
host from the Internet entirely. Additionally, if the targetted host is
a router, little if anything can be done to stop that network from going
down.

One method that comes to mind that can slow the incoming traffic in a
more distributed way is ECN (explicit congestion notification), but it
doesn't seem as though the implementation of ECN is a priority for many
small or large networks (correct me if I'm wrong on this point). If ECN
is a practical solution to an attack of this kind, what prevents its
implementation? Lack of awareness, or other?

Also, are there other methods of protecting a targetted network from
losing functionality during such an attack?

Insights welcome.

Brad

-- 
// -- http://www.BRAD-X.com/ -- //





More information about the NANOG mailing list