Is there a line of defense against Distributed Reflective attacks?

David G. Andersen dga at lcs.mit.edu
Fri Jan 17 06:11:14 UTC 2003


On Thu, Jan 16, 2003 at 08:48:03PM -0500, Brad Laue mooed:
> 
> By way of quick review, such an attack is carried out by forging the
> source address of the target host and sending large quantities of
> packets toward a high-bandwidth middleman or several such.
> 
> One method that comes to mind that can slow the incoming traffic in a
> more distributed way is ECN (explicit congestion notification), but it
> doesn't seem as though the implementation of ECN is a priority for many

   No.  ECN is, first and foremost, an optimization for TCP so that
it doesn't have to drop packets before cutting its rate back when
there's congestion in the network.  A zombie or malicious host would
just ignore the ECN bit - and the attacks you're describing never
reach the point where a host's flow control is involved.

   You might be thinking of source quench, but that's really not an
option with today's networks.

  Some other conventional alternatives have been discussed already
(ingress/egress filtering, etc).  Some less conventional options:
[Warning:  Some researchy stuff ahead]

  a)  Mazu and Arbor provide products that can detect and
      optionally shape traffic to avoid DDoS attacks.  Must be
      installed in-line to shape, and can't (AFAIK) shape at
      really really high line speeds.  But for reasonable things
      like, maybe gigabit and under, I think they can provide
      pretty reasonable protection.  Don't quote me for sure on the rates.

  b)  Ioannidis and Bellovin proposed a mechanism called "Pushback"
      for automatically establishing router-based rate limits to
      staunch packet flows during DoS attacks.
      [NDSS 2002, "Implementing Pushback:  Router-Based Defense
       Against DDoS Attacks"]

  c)  I stole some ideas from a sigcomm paper this year ("SOS:  Secure
      Overlay Services") to propose a proactive DDoS resistance scheme
      I term Mayday.  The basic idea is that you pick some secret
      attributes of your packets - destination port, destination
      address, etc. - and only allow packets with "the right values"
      through.  You then tell that secret to someone like Akamai,
      and have them proxy all requests to you.  Then you ask your
      upstream to proactively deny all packets without the magical
      values.

      http://nms.lcs.mit.edu/papers/mayday-usits2003.html

      It's a little weird, but I'd be willing to bet that one of
      the big overlay providers like Akamai could actually pull it off.
      The advantage of this approach is that you can implement it
      without fixing the whole world, unlike egress filters.  The
      downside is that you need someone with lots of nodes.

      I'd be interested in hearing folk's comments about the mayday 
      paper, btw, since I have to babble about it at a conference
      in a month. ;-)

  -Dave

-- 
work: dga at lcs.mit.edu                          me:  dga at pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/
      I do not accept unsolicited commercial email.  Do not spam me.



More information about the NANOG mailing list