Stephen Kent wrote:
I'll suggest one course of action, but I keep emphasizing the issue
is not one of alternates, but of recognizing the limitations of
proposals now on the table and considering approaches that may work
irrespective of whether everyone performs filtering.
I am willing to write a document on the means of packet filtering and
how rules should work for different configurations and environments.
Such configurations should be very well thought and I think an official
Internet draft should be written to advice many networks and common
people on what attacks regard/not their Internet access, should they be
providers, common people browsing/surfing and so on.
With regard to a wide range of DoS or DDoS attacks, it seems quite
feasible to monitor traffic to the web site to detect such attacks
irrespective of whether source addresses are spoofed or not.
Source-routed packets from untrusted hosts, as many of us know, have to
be dropped/ignored. I do not know if there is another kind of attack
regarding the forging of IP headers, as I didn't study ( :( ) the TCP/IP
RFCs.
(this differs from IDS for broader attacks, where the recognition problem
is much harder and the false negative rate is on the order of 20%.)
Such monitoring can be done by a web hosting facility through purely
passive monitoring, so as not to adversely affect the performance of
the network used by a web hosting site. Once an attack is detected,
one can trigger a semi-automated response. If one believes that the
source addresses are not spoofed, then one can use this to direct
filtering to selected ingress points, but the filtering can now be
very focused, based o the characteristics of the detected DoS
traffic. If one believes that source addressed might be spoofed, then
one needs to activate the selective filtering on a much wider range
of ingress points. Since the true sources may be outside of the
ISP's sphere of control, filtering at connections to other ISPs may
be required in either case.
In this case, I would suggest route and interface changing in an
automatic fashion like OSPF would do (but under attacks) (correct me if
I am wrong). DoS is very dangerous on bandwidth-limited sites that
cannot choose between different routers/gateways. The interface just
gets flooded and in some cases normal traffic disappears and one must
simply disable the interface until the attack ceases.
If the response is rapid enough, the attack may not have significant
impact, which reduces the attraction of mounting such an attack in
the first place. One can begin disabling the filters once the
offending traffic flows have diminished, which provides another means
of determining the sources of traffic, as others have noted in
previous published work on this topic.
An advantage of this style of approach is that while it can be even
more effective if source address filtering is widespread, it also
would work if such filtering is not completely effective, which is
the sort of self-defense approach I prefer It supports what the
security community refers to as the Principle of Least Privilege.
As attacks can come from much different sources, if a backbone can at
least log, if not ignore, strangely high traffic from a unique site (but
it cannot, again, prevent DDoS), we should at least diminish the risks
of suffering an attack.
Cesar