Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T

Danny McPherson danny at tcb.net
Wed Jun 2 17:39:39 UTC 2004



On Jun 2, 2004, at 10:56 AM, Richard A Steenbergen wrote:

> What people may being seeing is that poorly randomized source attacks 
> are
> being automatically filtered by uRPF loose or other means before they 
> ever
> reach the target. I keep track of my network border filter counters, 
> and
> believe me spoofed attacks are not going out of style,

How do you discriminate *DDOS attacks employing source address spoofing*
from broken NATs, rampant worms, PMTU and other related misconfiguration
resulting in backscatter and similar garbage - with filter counters?  
Given,
tactically deployed filters in order to mitigate a specific attack to a 
particular
destination would likely glean some value WRT the validity of the source
distribution for a given attack, but not generally deployed filters for 
any
destination.

And exactly what represents "spoofed" by your definition?  Note again 
that
I explicitly called out **DDOS attacks employing source address 
spoofing**,
which is non-inclusive of spoofing in general employed by worms and the
like, or common misconfigurations and brokenness that results in the 
slew
of random garbage floating about.

>  especially from foreign and certain smaller networks.

I'd be extremely interested in any empirical evidence you have to 
support
this, and in better understanding exactly how you determined "foreign 
and
certain smaller networks" were indeed the source of many of these 
spoofed
packets.

> As a customer of someone who does this kind of filtering and maintains
> sufficient border capacity, you may never see the gigabits of src 
> bogons,
> protocol 0 or 255, port 0, 40 byte syns w/no MSS option, etc, and 
> assume
> that these attacks are out of style because the only ones that get 
> through
> are the WinXP MSS+SACK unforged drone SYNs.

I agree, if it's filtered before someone observes it, it won't be
observed :-)

However, distinguishing between coordinated DDOS attacks that employ 
source
address spoofing and "run of the mill" spoofing (by worms and the like) 
or
simple misconfiguration of some sort resulting in "backscatter" is key.

-danny







More information about the NANOG mailing list