Dan,
I'll suggest one course of action, but I keep emphasizing the issue
is not one of alternates, but of recognizing the limitations of
proposals now on the table and considering approaches that may work
irrespective of whether everyone performs filtering.
With regard to a wide range of DoS or DDoS attacks, it seems quite
feasible to monitor traffic to the web site to detect such attacks
irrespective of whether source addresses are spoofed or not. (this
differs from IDS for broader attacks, where the recognition problem
is much harder and the false negative rate is on the order of 20%.)
Such monitoring can be done by a web hosting facility through purely
passive monitoring, so as not to adversely affect the performance of
the network used by a web hosting site. Once an attack is detected,
one can trigger a semi-automated response. If one believes that the
source addresses are not spoofed, then one can use this to direct
filtering to selected ingress points, but the filtering can now be
very focused, based o the characteristics of the detected DoS
traffic. If one believes that source addressed might be spoofed, then
one needs to activate the selective filtering on a much wider range
of ingress points. Since the true sources may be outside of the
ISP's sphere of control, filtering at connections to other ISPs may
be required in either case.
If the response is rapid enough, the attack may not have significant
impact, which reduces the attraction of mounting such an attack in
the first place. One can begin disabling the filters once the
offending traffic flows have diminished, which provides another means
of determining the sources of traffic, as others have noted in
previous published work on this topic.
An advantage of this style of approach is that while it can be even
more effective if source address filtering is widespread, it also
would work if such filtering is not completely effective, which is
the sort of self-defense approach I prefer It supports what the
security community refers to as the Principle of Least Privilege.
Steve
