Stephen Kent wrote:
> I'll suggest one course of action, but I keep emphasizing the issue
> is not one of alternates, but of recognizing the limitations of
> proposals now on the table and considering approaches that may work
> irrespective of whether everyone performs filtering.
I am willing to write a document on the means of packet filtering and
how rules should work for different configurations and environments.
Such configurations should be very well thought and I think an official
Internet draft should be written to advice many networks and common
people on what attacks regard/not their Internet access, should they be
providers, common people browsing/surfing and so on.
> With regard to a wide range of DoS or DDoS attacks, it seems quite
> feasible to monitor traffic to the web site to detect such attacks
> irrespective of whether source addresses are spoofed or not.
Source-routed packets from untrusted hosts, as many of us know, have to
be dropped/ignored. I do not know if there is another kind of attack
regarding the forging of IP headers, as I didn't study ( :( ) the TCP/IP
RFCs.
> (this differs from IDS for broader attacks, where the recognition problem
> is much harder and the false negative rate is on the order of 20%.)
> Such monitoring can be done by a web hosting facility through purely
> passive monitoring, so as not to adversely affect the performance of
> the network used by a web hosting site. Once an attack is detected,
> one can trigger a semi-automated response. If one believes that the
> source addresses are not spoofed, then one can use this to direct
> filtering to selected ingress points, but the filtering can now be
> very focused, based o the characteristics of the detected DoS
> traffic. If one believes that source addressed might be spoofed, then
> one needs to activate the selective filtering on a much wider range
> of ingress points. Since the true sources may be outside of the
> ISP's sphere of control, filtering at connections to other ISPs may
> be required in either case.
In this case, I would suggest route and interface changing in an
automatic fashion like OSPF would do (but under attacks) (correct me if
I am wrong). DoS is very dangerous on bandwidth-limited sites that
cannot choose between different routers/gateways. The interface just
gets flooded and in some cases normal traffic disappears and one must
simply disable the interface until the attack ceases.
> If the response is rapid enough, the attack may not have significant
> impact, which reduces the attraction of mounting such an attack in
> the first place. One can begin disabling the filters once the
> offending traffic flows have diminished, which provides another means
> of determining the sources of traffic, as others have noted in
> previous published work on this topic.
> An advantage of this style of approach is that while it can be even
> more effective if source address filtering is widespread, it also
> would work if such filtering is not completely effective, which is
> the sort of self-defense approach I prefer It supports what the
> security community refers to as the Principle of Least Privilege.
As attacks can come from much different sources, if a backbone can at
least log, if not ignore, strangely high traffic from a unique site (but
it cannot, again, prevent DDoS), we should at least diminish the risks
of suffering an attack.
Cesar
