ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Internet SYN Flooding, spoofing attacks

2000-02-16 14:20:02
from [Stephen Kent] [Permanent Link] 
Dan,
I'll suggest one course of action, but I keep emphasizing the issue is not one of alternates, but of recognizing the limitations of proposals now on the table and considering approaches that may work irrespective of whether everyone performs filtering.
With regard to a wide range of DoS or DDoS attacks, it seems quite feasible to monitor traffic to the web site to detect such attacks irrespective of whether source addresses are spoofed or not. (this differs from IDS for broader attacks, where the recognition problem is much harder and the false negative rate is on the order of 20%.) Such monitoring can be done by a web hosting facility through purely passive monitoring, so as not to adversely affect the performance of the network used by a web hosting site. Once an attack is detected, one can trigger a semi-automated response. If one believes that the source addresses are not spoofed, then one can use this to direct filtering to selected ingress points, but the filtering can now be very focused, based o the characteristics of the detected DoS traffic. If one believes that source addressed might be spoofed, then one needs to activate the selective filtering on a much wider range of ingress points. Since the true sources may be outside of the ISP's sphere of control, filtering at connections to other ISPs may be required in either case.
If the response is rapid enough, the attack may not have significant impact, which reduces the attraction of mounting such an attack in the first place. One can begin disabling the filters once the offending traffic flows have diminished, which provides another means of determining the sources of traffic, as others have noted in previous published work on this topic.
An advantage of this style of approach is that while it can be even more effective if source address filtering is widespread, it also would work if such filtering is not completely effective, which is the sort of self-defense approach I prefer It supports what the security community refers to as the Principle of Least Privilege. 

Steve
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Question re: an Internet-Draft and testing/deployment, Bill Manning
Next by Date:  Re: Question re: an Internet-Draft and testing/deployment, Keith Moore
Previous by Thread:  Re: Internet SYN Flooding, spoofing attacks, Daniel Senie
Next by Thread:  Re: Internet SYN Flooding, spoofing attacks, Jean Paul Sartre
Indexes:  [Date] [Thread] [Top] [All Lists]