Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is there a line of defense against Distributed Reflective attacks?

  • From: Steven M. Bellovin
  • Date: Sat Jan 18 23:21:11 2003

In message <Pine.GSO.4.44.0301182004040.16112-100000@clifden.donelan.com>, Sean
 Donelan writes:
>
>On Sat, 18 Jan 2003, Steven M. Bellovin wrote:
>> theory, trace a single packet.  But the real problem with either idea
>> is this:  suppose that you know, unambiguously and unequivocally, that
>> 750 zombies are attacking you.  What do you do with that information?
>
>The reality is its not 750 zombies, its generally one person controlling
>750 zombies attacking you.

Right -- and neither itrace nor hash-based tracing are going to solve 
that:
>

>   3) Find and convict the true attacker

Hash-based trace might help on that, *if* there was recording of the 
packets to the zombies.  But doing that ubiquitously might -- would? -- 
turn the Internet into a surveillance state.
>

>   2) Track and stop DDOS quickly when it does happen

That's the point of pushback.

>So how do we
>   1) Make end-user systems less vulnerable to being compromised

That's my real goal...

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.