In message <v04220802b4d078236d2c(_at_)[171(_dot_)78(_dot_)30(_dot_)107]>,
Stephen Kent writes:
Eliot,
Some of the DoS attacks we saw last week were good, old-fashioned SYN
floods. Hosts do have a responsibility here, more than ISPs, since
it is quite feasible to tie up a host's pool of TCBs with a small
number of packets, even if the attack tool does not use spoofed
sourced addresses (or if the spoofed addresses are from a legitimate
pool allocated to a subscriber site).
Yes, though it isn't clear to me that most of those forged SYNs got through...
The point I have tried to make, unsuccessfully, is not that
performing ingress filtering is bad, and thus should not be
performed. Rather, I am pointing out that it is a bad idea to rely
on such filtering as a primary means of defense. There are several
reasons for saying this:
- not all ISPs will find it feasible to provide such filtering
- not all ISPs are trusted to do the filtering (in the global Internet)
- a number of DDoS attacks can be launched without using
spoofed addresses outside of those "appropriate" to the subscriber
site
- some applications may legitimately make use of non-local
addresses, as others have suggested
The problem here is that flooding attacks target the network, not the host.
The host is thus not capable of mounting a defense -- it's not the victim, in
some sense.
Conventional security methodology would say that the aggrieved party should do
the authentication. Of course, that's hard on the Internet -- in fact, we
don't *want* people to have to authenticate themselves to the network elements
in order to transmit. (There are, of course, networks that do have such
requirements. The most common form is known as the telephone system. I don't
think we want to reinvent that.) Filtering is a very coarse form of
address-based authentication to the first outside hop; I don't see a better
choice.
Perhaps the network can use beefed-up congestion control mechanisms to stop
such floods. I hope so, but it seems to be a research issue; I'd be surprised
if such new mechanisms could be deployed sooner than 2002. What do we do in
the meantime? (Trying to secure all of the myriad endpoints is even more
hopeless than trying to get all ISPs to do proper filtering.) Do you have any
specific suggestions? Seriously -- what do you recommend as a defense against
flooding attacks?
--Steve Bellovin