ietf
[Top] [All Lists]

Re: Internet SYN Flooding, spoofing attacks

2000-02-15 10:00:03
On Mon, 14 Feb 2000 16:04:28 PST, Phil Karn said:
Source address ingress filtering is one of those ideas that seems like
a good one when you first think about it, but it just doesn't pan out.
It interferes with some perfectly legitimate activities, it doesn't
really stop the bad guys, and it deflects attention away from the real
solutions.

Well.. as soon as somebody presents us with "the real solution", we'll start
implementing.  In the meantime, filtering is the best we know how to do.

In the case of MS-DOS (Multiple Source-Denial of Service) attacks like
the ones we saw last week, we need to deploy better inter-router
mechanisms to deal with congestion by moving the packet drop points as
far upstream as possible toward the senders. And if these mechanisms
can work for deliberate flooding attacks, they'll also deal with
non-deliberate congestion.

The problem here is that there is often a limit to how far away you
can move the detection.  In the case of multiple sources, it's
*probable* that the inbound packets will arrive on as many as 5 to 20
different links, and not get aggregated onto one path until the
last-hop link to the victim's site.

And if you have 20 inbound links into a routing swamp, each one will
only see a 5% fluctiation in load in order to cause a 100% congestion
on the victim link.  If you move the detection 2 hops out, you may be
trying to spot a 1% ripple in the traffic, if there's 100 different
paths that far out.

The more hops you try to move the detection away, the smaller the
"ripple" you need to be able to detect *without a high rate of false
positives*.

There's another issue, in that if you're trying to do this 2-3 hops
out, you will need *secure* *low-bandwidth* communications regarding
who is talking to whom, at what rates.  And you get transitivity
problems - some of our border routers are 3 hops from a vBNS gateway,
and therefor would need to talk to them, plus are 3 hops from other
routers that are probably NOT going to want the vBNS information.  So
you end up with a ugly mess of many overlapping "circles" containing
different subsets of routers.  This gets you into key management
issues, and the like....

I'm sure there's other issues that need to be solved as well, these are
just the first few problems that come to mind...

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

P.S.  Please note that MS-DOS is the trademark of a *SINGLE*-source vendor
of denial of service ;)