nanog mailing list archives

Re: DNS issues various

From: Richard A Steenbergen <ras () e-gerbil net>
Date: Thu, 24 Oct 2002 17:23:17 -0400


On Thu, Oct 24, 2002 at 04:02:09PM -0500, Rob Thomas wrote:


Hi, NANOGers.

] I assert this is not the case. A significant percentage of DDoS attacks use
] legitimate source IP addresses. When there are thousands of throw-away hosts

I track several botnets per week, and a large amount of DDoS per week.
Only around 20% (or a bit less) of all the attacks I log use spoofed
source addresses.

Does anti-spoofing help?  Yes.  It is but one of many mitigation
strategies.


I don't know what botnets you look at, but I wouldn't go that far.

Of course stopping spoofing will not solve everything, but is does and 
will make a huge impact on DoS mitigation and tracing.

The problem now is that noone "knows" for certain if the attack they're
tracing is spoofed or not. With a random source syn flood, you know it's
spoofed. With an attack which is spoofing a legit-looking address that is
completely unrelated to the attacker, you don't. Most people who report 
DoS (including myself) have been so burned by finding out that legitimate 
looking source address on an attack is infact spoofed (or worse yet that 
an innocent party gets blamed by incompetent admins), they see a DDoS and 
don't even bother. Attackers w/DDoS networks use this to their advantage, 
by mixing spoofed attacks (where they can) with unspoofed attacks (where 
they can't, such as windows machines, boxes where they havn't compromised 
root such as apache worms and the like, and even in rare cases where the 
network is doing their job and ingress filtering), to make it effectively 
impossible to know which hosts to go after.

Tracing down dumb drones with non-spoofed addresses is a LOT easier than
tracking spoofed packets through the network (or worse explaining to other
networks how to do it). Of course, as more and more ingress filtering is
implemented, the attacks will move to "one-off" spoofing, where they spoof
their neighbors address but are still close enough to get through filters,
and incompetent admins go chasing after ghosts. But we'll deal with that
situation when we come to it. :)

-- 
Richard A Steenbergen <ras () e-gerbil net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

Current thread:

Re: How to secure the Internet in three easy steps, (continued)
- - - Re: How to secure the Internet in three easy steps Petri Helenius (Oct 25)
    - Re: How to secure the Internet in three easy steps batz (Oct 25)
    - Re: How to secure the Internet in three easy steps Michael Lamoureux (Oct 25)
    - Re: DNS issues various Craig Partridge (Oct 24)
    - Message not available
    - Re: DNS issues various Daniel Senie (Oct 25)
    - Re: DNS issues various dre (Oct 24)
    - Re: DNS issues various Richard A Steenbergen (Oct 24)
    - Re: DNS issues various David G. Andersen (Oct 24)
    - Re: DNS issues various Kevin Houle (Oct 24)
    - Re: DNS issues various Rob Thomas (Oct 24)
    - Re: DNS issues various Richard A Steenbergen (Oct 24)
    - Re: DNS issues various Daniel Senie (Oct 25)
    - Re: DNS issues various Randy Bush (Oct 25)
    - Re: DNS issues various Daniel Senie (Oct 25)
- Re: DNS issues various Michael . Dillon (Oct 25)