Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: dsl providers that will route /24

  • From: David Schwartz
  • Date: Thu Mar 29 17:45:43 2001

> Thats all well and good if you are going to have someone monitor the logs
> of these packets 24x7, but if you have a customer get hacked and start
> spewing shitloads of spoofed sourced packets at various networks (Insert
> your favorite DDOS Drone here), then the damage is high, immediate, and
> done by the time you notice it in most cases.
> Jason

	They could do almost exactly the same amount of damage with an unspoofed
UDP flood and it would still take a human action to stop it. The attack can
still hop from victim to victim until the problem is stopped at its source.
The problem still won't get stopped at its source until someone with the
ability to stop it is summoned and alterted to the problem.

	Odds are, an attacker will used spoofed packets if he can. potentially
spoofed packets will trigger an investigation on my network. An unspoofed
UDP flood probably won't (especially if it hops from victim to victim).

	So if the attacker uses spoofed packets, he may get cut off at the source
(and the problem actually solved) sooner. On the other hand, unspoofed
packets will probably trigger a call to the administration of the source
network faster. Of course, you don't know that attack is unspoofed, so you
really can't be sure what the source is.

	The important thing to realize is that neither of these situations is
ideal. That is, filters don't solve the problem. We need to acknowledge that
we have a problem and don't have a solution to it. Only then will the
problem be analyzed, solutions proposed, and implemented.

	One possibility is a hop-by-hop reverse tracing protocol. Another
possibility is some form of source authentication. For unspoofed floods, the
solution may be a way to 'push' a filter up a chain of routers.

	I don't know, I'm not smart enough to solve the problem by myself. All I
can do is keep yelling as loudly as I can that there is a problem and that
we do need a really good solution.


Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.