Real-Time Mitigation of Denial of Service Attacks Now Available With AT&T
Danny McPherson
danny at tcb.net
Wed Jun 2 17:39:39 UTC 2004
On Jun 2, 2004, at 10:56 AM, Richard A Steenbergen wrote:
> What people may being seeing is that poorly randomized source attacks
> are
> being automatically filtered by uRPF loose or other means before they
> ever
> reach the target. I keep track of my network border filter counters,
> and
> believe me spoofed attacks are not going out of style,
How do you discriminate *DDOS attacks employing source address spoofing*
from broken NATs, rampant worms, PMTU and other related misconfiguration
resulting in backscatter and similar garbage - with filter counters?
Given,
tactically deployed filters in order to mitigate a specific attack to a
particular
destination would likely glean some value WRT the validity of the source
distribution for a given attack, but not generally deployed filters for
any
destination.
And exactly what represents "spoofed" by your definition? Note again
that
I explicitly called out **DDOS attacks employing source address
spoofing**,
which is non-inclusive of spoofing in general employed by worms and the
like, or common misconfigurations and brokenness that results in the
slew
of random garbage floating about.
> especially from foreign and certain smaller networks.
I'd be extremely interested in any empirical evidence you have to
support
this, and in better understanding exactly how you determined "foreign
and
certain smaller networks" were indeed the source of many of these
spoofed
packets.
> As a customer of someone who does this kind of filtering and maintains
> sufficient border capacity, you may never see the gigabits of src
> bogons,
> protocol 0 or 255, port 0, 40 byte syns w/no MSS option, etc, and
> assume
> that these attacks are out of style because the only ones that get
> through
> are the WinXP MSS+SACK unforged drone SYNs.
I agree, if it's filtered before someone observes it, it won't be
observed :-)
However, distinguishing between coordinated DDOS attacks that employ
source
address spoofing and "run of the mill" spoofing (by worms and the like)
or
simple misconfiguration of some sort resulting in "backscatter" is key.
-danny
More information about the NANOG
mailing list