Is there a line of defense against Distributed Reflective attacks?

Christopher L. Morrow chris at UU.NET
Fri Jan 17 03:56:10 UTC 2003



On Thu, 16 Jan 2003, Brad Laue wrote:

>
> Having researched this in-depth after reading a rather cursory article
> on the topic (http://grc.com/dos/drdos.htm), only two main methods come
> to my mind to protect against it.
>
> By way of quick review, such an attack is carried out by forging the
> source address of the target host and sending large quantities of
> packets toward a high-bandwidth middleman or several such.
>
> To my knowledge the network encompassing the target host is largely
> unable to protect itself other than 'poisoning' the route to the host in
> question. This succeeds in minimizing the impact of such an attack on
> the network itself, but also acheives the end of removing the target
> host from the Internet entirely. Additionally, if the targetted host is
> a router, little if anything can be done to stop that network from going
> down.
>
> One method that comes to mind that can slow the incoming traffic in a
> more distributed way is ECN (explicit congestion notification), but it
> doesn't seem as though the implementation of ECN is a priority for many
> small or large networks (correct me if I'm wrong on this point). If ECN
> is a practical solution to an attack of this kind, what prevents its
> implementation? Lack of awareness, or other?

Doesn't ECN depend on 'well behaved' traffic? In other words, wouldn't it
require the hosts sending traffic to slow down? So... even if the hosts
slowed down, 10,000 hosts still is a high traffic rate at the end point.
:(

>
> Also, are there other methods of protecting a targetted network from
> losing functionality during such an attack?
>
> Insights welcome.
>
> Brad
>
> --
> // -- http://www.BRAD-X.com/ -- //
>
>




More information about the NANOG mailing list