Is there a line of defense against Distributed Reflective attacks?

Kurt Erik Lindqvist kurtis at kurtis.pp.se
Fri Jan 17 16:29:44 UTC 2003


>> Having researched this in-depth after reading a rather cursory article
>> on the topic (http://grc.com/dos/drdos.htm), only two main methods 
>> come
>> to my mind to protect against it.
>
> There are a few more methods, some have already mentioned including
> something called pushback.  Very few solutions, particularly elegant
> ones are widely deployed today.
>
> At some point, sophisticated (or even not so sophisticated) DoS
> attacks can be hard to distinguish between valid traffic, particularly
> if widely distributed and traffic is as valid looking as any other
> bit of traffic.

I have been thinking about this for a while due to a number of reasons. 
But if we look at the source of the attacks and the effects of the 
attacks. I would draw the conclusions that

a) Unless we fix the "end-system" faults that are used for exploits, 
the only way that will scale to handle attacks, is simply to make the 
victims redundant so that you can loose one and loose service for some 
customers so that you can provide service for the remaining customers.

b) In the short to medium term, the only strategy that will work is to 
sacrifice some parts of your service (or host, or customers - depending 
on your role and the type of attack / victim).

Even with the pushback model, the ordinary users will loose to some 
extent. So what would be needed would be a model where to loss of 
bandwidth for end-users are projected to the revenue numbers of the 
service being attacked. Right?

>
>> is a practical solution to an attack of this kind, what prevents its
>> implementation? Lack of awareness, or other?
>
> It is still fairly new and not widely deployed.  Routers need not only
> to support it, but also have to be enabled to use it.  It is a fairly
> significant change to the way congestion control is currently done in
> the Internet and it will take some time before penetration occurs.

Well, you also need to find another "way" (or buffer, or slowdown) to 
send the traffic, which in a way also is a successful attack.


> to launch attacks.  Eventually it all boils down to a physical
> security problem.  Pricing models can be used to make it expensive

With physical security I would assume actual physical access to the 
system. Anything else to me is "logical" or "system" security. Correct?


- kurtis -




More information about the NANOG mailing list