From: william(at)elan.net [mailto:william(_at_)elan(_dot_)net]
The only solution to this sort of thing is going to be to
find a way
of suppressing DDoS type traffic, in particular spoofed
source address
packets. This is not very hard for ISPs to do, if a machine is
generating reams of spoofed source address data then it has been
botted and should be either refused service or moved to an
isolation network.
You're obviously not an operations guy when you say its easy.
Compared to the problem of dealing with spoofed source address traffic
at the other end it is easy.
The spoofing issue is nothing new (its decades old), but it
obviously has not been solved. There are some applications
and sites that depend on being able to have their upstreams
accept packets from non-local nets (I can find and direct you
to nanog posts that described that)
There are people who think they need to do such things, such people tend
to be wrong with remarkable frequency.
There is no excuse for a residential broadband ISP not performing source
address filtering on the traffic coming of the cable or ADSL hookup,
NONE.
Combining network and Internetwork functions is bad security policy and
probably bad network ops. It is certainly legit for a subscriber to have
multiple connections to the Internet. That does not mean that they
either need or want the ability to route general traffic.
Note that this arises as an issue only for ICMP and some UDP
protocols.
With TCP this is not as much a problem because full TCP
communication would require establishing of a session which
requires the source to confirm the sequence # sent by the
destination SYN (read about 3-packet handshake, if you do not
know).
You should practice being patronizing more often.
Actually there are people who do TCP spoofing as you are probably aware
from the spam world. This is used to send large volumes of spam 'from'
hijacked dialup machines. The dialup machine only does the SYN part of
the protocol, the bulk of the data is sent from a hijacked broadband
machine.
As of this year miscreants switched to using DNS servers as
They are professional criminals, not miscreants.
However as I'm pointing out the recursive dns servers is only
one way to do it which derives from ability to poison them
and then cause them to reply with large response (so as to
use them for amplification). If dns server is not recursive,
but has very large dns record it can also be used for
amplification (slightly worse amplification factor of 1:20).
The smart way to avoid this becoming an issue is to either
use TCP or to use UDP protocol with fixed and fairly small
response packets.
It is not our job to fix the core DNS protocol.
The amplifier attack you describe will worst case cause a doubling in
the data volume and that only if the attack machine is directing traffic
through multiple DNS servers at one time.
This is not a big enough effect to be concerned with.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html