Is there a line of defense against Distributed Reflective attacks?
David G. Andersen
dga at lcs.mit.edu
Fri Jan 17 06:11:14 UTC 2003
On Thu, Jan 16, 2003 at 08:48:03PM -0500, Brad Laue mooed:
>
> By way of quick review, such an attack is carried out by forging the
> source address of the target host and sending large quantities of
> packets toward a high-bandwidth middleman or several such.
>
> One method that comes to mind that can slow the incoming traffic in a
> more distributed way is ECN (explicit congestion notification), but it
> doesn't seem as though the implementation of ECN is a priority for many
No. ECN is, first and foremost, an optimization for TCP so that
it doesn't have to drop packets before cutting its rate back when
there's congestion in the network. A zombie or malicious host would
just ignore the ECN bit - and the attacks you're describing never
reach the point where a host's flow control is involved.
You might be thinking of source quench, but that's really not an
option with today's networks.
Some other conventional alternatives have been discussed already
(ingress/egress filtering, etc). Some less conventional options:
[Warning: Some researchy stuff ahead]
a) Mazu and Arbor provide products that can detect and
optionally shape traffic to avoid DDoS attacks. Must be
installed in-line to shape, and can't (AFAIK) shape at
really really high line speeds. But for reasonable things
like, maybe gigabit and under, I think they can provide
pretty reasonable protection. Don't quote me for sure on the rates.
b) Ioannidis and Bellovin proposed a mechanism called "Pushback"
for automatically establishing router-based rate limits to
staunch packet flows during DoS attacks.
[NDSS 2002, "Implementing Pushback: Router-Based Defense
Against DDoS Attacks"]
c) I stole some ideas from a sigcomm paper this year ("SOS: Secure
Overlay Services") to propose a proactive DDoS resistance scheme
I term Mayday. The basic idea is that you pick some secret
attributes of your packets - destination port, destination
address, etc. - and only allow packets with "the right values"
through. You then tell that secret to someone like Akamai,
and have them proxy all requests to you. Then you ask your
upstream to proactively deny all packets without the magical
values.
http://nms.lcs.mit.edu/papers/mayday-usits2003.html
It's a little weird, but I'd be willing to bet that one of
the big overlay providers like Akamai could actually pull it off.
The advantage of this approach is that you can implement it
without fixing the whole world, unlike egress filters. The
downside is that you need someone with lots of nodes.
I'd be interested in hearing folk's comments about the mayday
paper, btw, since I have to babble about it at a conference
in a month. ;-)
-Dave
--
work: dga at lcs.mit.edu me: dga at pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
I do not accept unsolicited commercial email. Do not spam me.
More information about the NANOG
mailing list