[Dshield] IP Spoofing-Impact on DDoS defenses

Jon R. Kibler Jon.Kibler at aset.com
Thu Feb 16 18:40:49 GMT 2006


Fergie wrote:
> 
> Yes -- it's called RFC2827/BCP38:
> 
>  http://www.rfc-editor.org/rfc/rfc2827.txt
> 

If you check the archives of this group, I have been saying for many years that all ISPs should do ingress filtering (like that specified in the RFC) and egress filtering. However, clearly few do. 

Just checking our daily router logs, we find that 20% to 35% or more of the ICMP and UDP traffic we block each day comes from spoofed source IPs in either private address space or from unallocated netblocks. Clearly, no useful filtering is going on anywhere on the net.

Many network admins still deploy VERY lame networks. You can still find hundreds of B-class smurf amplifier networks listed on the Internet. How hard is it to block directed ICMP and UDP broadcasts inbound from the outside?

Running W2K Serv or W2K3? I bet that you have UDP ECHO and UDP CHARGEN ports open. That leaves your internal network easily open to fragle and fragle2 attacks. These ports can be exploited from the outside too.

Microsoft claimed to 'cure' the spoofed IP problem in XP/SP2. It took less than a month for attack tools to completely bypass the Windows IP Stack and insert attack frames directly onto the net.

Spoofed IPs are also becoming less of a DDoS tool in the past year or so. Why? Because there are so many millions of compromised systems, attackers no longer care if they loose a few thousand systems, so they don't bother using forged IP attacks.

Probably the best defense for DDoS attacks is the use of committed access rate filtering. The further upstream such filtering is implemented, the lower the chance of an attack succeeding. For example, if an ISP had a DS3 pipe, its upstream provider should rate limit data to the pipe to something less than 36Mbps.

Why don't ISP implement ingress, egress, or rate filtering? It takes manpower to implement and maintain. It takes router resources to do the filtering. Another reason you could call "political": "Why should we do something that consumes our resources but primarily benefits someone else, most likely a competitor?"

Some experts claim that "If everyone moved to IPv6, DDoS would cease to be a problem." I disagree. Whereas IPv6 would fix many current protocol-based attacks (syn flood, fragmentation, land, teardrop, etc.), it would not prevent resource starvation (bandwidth flood, request flood, etc.) types of attacks. 

Someone, I think it was Bruce Schneier, recommended that we starting treating Internet "pollution" (such as DDoS attacks) the same way we treat air and water pollution -- make the upstream providers that introduce the pollution onto the net responsible for their garbage and fine them should they not clean up their act.

The unfortunate fact is that there is no viable DDoS 'fix' today, and the chances of finding one soon is doubtful. Meanwhile, aggressive filtering may help reduce the impact of an attack, but it will not stop it.

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list