Is there a line of defense against Distributed Reflective attacks?

• Previous message (by thread): Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This type of DRDOS (Distributed Reflective Denial of Service Attack) is 
well commonly-known to both network operators, and as well as many 
script-kiddies.

By forging the source IP address of the attack to the victim's IP, and 
attacking internet backbone routers, this creates an immediate, 
devastating, yet very effective attack. Backbone routers, seeing this as 
legitimate packets simply reply back to the victim.

I guess the question is, what are the internet backbones doing these 
days to evade the outcome of reflected DoS attacks? Are they simply 
going to let their routers be the middleman to kick off innocent hosts?

SYN cookies and various other methods to control DoS attacks are only 
used by smart ISP's.. And considering most ISP's do not even care about 
egress filters, I don't believe any of these methods will work for quite 
some time to come.

-hc


>
> Having researched this in-depth after reading a rather cursory article
> on the topic (http://grc.com/dos/drdos.htm), only two main methods come
> to my mind to protect against it.
>
> By way of quick review, such an attack is carried out by forging the
> source address of the target host and sending large quantities of
> packets toward a high-bandwidth middleman or several such.
>
> To my knowledge the network encompassing the target host is largely
> unable to protect itself other than 'poisoning' the route to the host in
> question. This succeeds in minimizing the impact of such an attack on
> the network itself, but also acheives the end of removing the target
> host from the Internet entirely. Additionally, if the targetted host is
> a router, little if anything can be done to stop that network from going
> down.
>
> One method that comes to mind that can slow the incoming traffic in a
> more distributed way is ECN (explicit congestion notification), but it
> doesn't seem as though the implementation of ECN is a priority for many
> small or large networks (correct me if I'm wrong on this point). If ECN
> is a practical solution to an attack of this kind, what prevents its
> implementation? Lack of awareness, or other?
>
> Also, are there other methods of protecting a targetted network from
> losing functionality during such an attack?
>
> Insights welcome.
>
> Brad
>

• Previous message (by thread): Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]