Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is there a line of defense against Distributed Reflective attacks?

  • From: David G. Andersen
  • Date: Fri Jan 17 01:13:06 2003

On Thu, Jan 16, 2003 at 08:48:03PM -0500, Brad Laue mooed:
> 
> By way of quick review, such an attack is carried out by forging the
> source address of the target host and sending large quantities of
> packets toward a high-bandwidth middleman or several such.
> 
> One method that comes to mind that can slow the incoming traffic in a
> more distributed way is ECN (explicit congestion notification), but it
> doesn't seem as though the implementation of ECN is a priority for many

   No.  ECN is, first and foremost, an optimization for TCP so that
it doesn't have to drop packets before cutting its rate back when
there's congestion in the network.  A zombie or malicious host would
just ignore the ECN bit - and the attacks you're describing never
reach the point where a host's flow control is involved.

   You might be thinking of source quench, but that's really not an
option with today's networks.

  Some other conventional alternatives have been discussed already
(ingress/egress filtering, etc).  Some less conventional options:
[Warning:  Some researchy stuff ahead]

  a)  Mazu and Arbor provide products that can detect and
      optionally shape traffic to avoid DDoS attacks.  Must be
      installed in-line to shape, and can't (AFAIK) shape at
      really really high line speeds.  But for reasonable things
      like, maybe gigabit and under, I think they can provide
      pretty reasonable protection.  Don't quote me for sure on the rates.

  b)  Ioannidis and Bellovin proposed a mechanism called "Pushback"
      for automatically establishing router-based rate limits to
      staunch packet flows during DoS attacks.
      [NDSS 2002, "Implementing Pushback:  Router-Based Defense
       Against DDoS Attacks"]

  c)  I stole some ideas from a sigcomm paper this year ("SOS:  Secure
      Overlay Services") to propose a proactive DDoS resistance scheme
      I term Mayday.  The basic idea is that you pick some secret
      attributes of your packets - destination port, destination
      address, etc. - and only allow packets with "the right values"
      through.  You then tell that secret to someone like Akamai,
      and have them proxy all requests to you.  Then you ask your
      upstream to proactively deny all packets without the magical
      values.

      http://nms.lcs.mit.edu/papers/mayday-usits2003.html

      It's a little weird, but I'd be willing to bet that one of
      the big overlay providers like Akamai could actually pull it off.
      The advantage of this approach is that you can implement it
      without fixing the whole world, unlike egress filters.  The
      downside is that you need someone with lots of nodes.

      I'd be interested in hearing folk's comments about the mayday 
      paper, btw, since I have to babble about it at a conference
      in a month. ;-)

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/
      I do not accept unsolicited commercial email.  Do not spam me.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.