ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Internet SYN Flooding, spoofing attacks

2000-02-24 15:20:02
from [Garreth Jeremiah] [Permanent Link] 
Please excuse my incessant ramblings, but I am sure some of this makes sense.  
I am
tired and thies email proves it.....most of this is in the context of DDos

Obviously the very nature of the distributed attack makes it difficult to 
protect
against.  Employing packet chokes, or CAR at some border router is at best 
reactive
and must be carefully monitored.  TOdays "farms" of servers make this 
possability
even less realistic as all of the requirements of all the servers behind the 
said
router must be taken into consideration.  Clamping UDP to 10% of the total
bandwidth may well be fine for most situations ( Web servers only doing name
resolution for example ) but then where one of those servers relies on UDP that 
10%
would be quickly eradicated by "normal" traffic, disabeling the functionality of
this server.  The same may be true ( but far less likley ) for ICMP.

Lets talk ICMP for a moment...... why do you want ICMP data from the internet 
any
way.... or if you say you have some need, why can we not have 1 machine/device
respond for all of the others.

Surely with the processing power of today we can develop devices to pass off 
ICMP
processing or "abnormal packet processing" off to another, less powerfull 
processor
leaving the core tasks directed to the main processing unit.  If the APPP 
(abnormal
packet processing processor - oh my god) can server no more requests or handle 
no
more packets, HARD LUCK.  The core functionality of the unit is still being met 
and
packets outside its traffic pattern are being resirected to the other processor,
which because it is over worked is merely ignoring the packets.

as said all of this is reactive...  To my mind there are a number of proactive
solution, mostly impracticle ones..alas we can dream.  Packet choking 
implimented
on the end systems such that for example once more than say 30% of traffic is 
ICMP
it gets ignored ( this still has th problems of the traffic is still being sent,
but as bandwith is used up datagrams are the first to be dropped from the route
such as ICMP and UDP )  this would of course have its own overhead of 
continually
analysing traffic in each endsystem.

An alternative is one that I do not like as it destroys the essence of "you can 
do
anything on the internet".  This would be to distribute the defence effort.....
begin looking for the signs of communication between the clients/masters
masters/daemons but in reality, if this could be done then we would have 
allready
irradicated the common "rpc" issues that allow DDoS daemons to become 
established.

Oh well life is like a box of sticky brown things that make you fat like 
me....but
can apparently be good for the heart. G.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: : Proposed design: "WIRELESS GIANTS PAC BELL TEE?", Valdis . Kletnieks
Next by Date:  April 1 is coming up you know..., Richard Shockey
Previous by Thread:  Re: Internet SYN Flooding, spoofing attacks, Jean Paul Sartre
Next by Thread:  RE: Internet SYN Flooding, spoofing attacks, RJ Atkinson
Indexes:  [Date] [Thread] [Top] [All Lists]