[e2e] 100% NAT - a DoS proof internet

Jeroen Massar jeroen at unfix.org
Tue Feb 14 03:23:04 PST 2006

On Mon, 2006-02-13 at 12:43 -0500, Angelos D. Keromytis wrote: 
> Jeroen Massar wrote:
> > 
> > If you want to protect against address scans then move to IPv6 :)
> > (though one infected box and they have the local subnet)
> Definitely true on the latter, as we point out on a recent paper on 
> USENIX ;login: with Steve Bellovin and Bill Cheswick:
> http://www1.cs.columbia.edu/~angelos/Papers/2006/ipv6worm.pdf

This one I already got forwarded by some other folks, in the context
of this thread, the part on "Peer-to-Peer protocols" also explains
that one can monitor those networks to find out possible targets.
This could be done more or less the same as with the proposed solution.

> Furthermore, the worm can do a scanning of the DNS space and spread 
> almost as fast as an IPv4 address-scanning worm. For example, see our 
> INFOCOM 2005 paper:
> http://www1.cs.columbia.edu/~angelos/Papers/2005/dns-worm.pdf

DNSSEC also gives an additional vector here where the NSEC records
allows following and thus scanning the chain. But afaik they found a
trick against this already (I am not tightly following dnssec).

On Tue, 2006-02-14 at 09:32 +0000, Jon Crowcroft wrote:
> In missive <1139849512.19715.6.camel at firenze.zurich.ibm.com>, Jeroen Massar typ
> ed:
>  >>Worms don't come in directly to the IP's that often, they spread mostly
>  >>using email, broswers, and other applications and some unknowing user
>  >>simply starting applications it should not be running. Host-based
>  >>firewalls do a wonderful job here already. Of course there are some viri
>  >>which scan semi-randomly but the effect is lower than a email containing
>  >>a jucky picture of some teen celebrity.
> 1/ I am not defending against vulnerabilities but against dos and
> scans

In the case of DoS, it is just a matter of having enough zombies
saturate some point of the uplink or just the weakest link. The best DoS
is similar to the slashdot effect: very large number of hosts following
the protocol by the letter and not doing anything you did not expect.
There is currently no way to detect the legit from the illegit traffic
and thus you end up accepting everything and trying to cope or shutting
down parts but then might end up shutting down legit traffic.

Having some form of captcha in the protocol could work here though, but
would require a lot of human intervention and would not be applicable
for a lot of cases. DoS is a endsystem problem, when those can be
compromised, and they will be, there is nothing to stop vermin to abuse
them to do something which looks okay but what isn't.

A scan is pretty useless, except for the knowledge part, when there is
no vulnerability to exploit it.

>  >>If you want to protect against address scans then move to IPv6 :)
>  >>(though one infected box and they have the local subnet)
> I use a MAC _ it uses IPv6 by default if its there - 
> problem is the ISPs dont :-(
> your move.

A very easy move: http://www.sixxs.net or google("10 steps ipv6")
(Chess, mate ;)

Seeing that your mail address is based in the ac.uk part, you might want
to check even things closer to you. There are 2 ac.uk based brokers at:
http://www.sixxs.net/tools/aiccu/brokers/ which also lists a large
number of other places to get connectivity from. In the ac.uk area most
likely Tim Chown is able to tell you quite well where to get good
quality connectivity from.

If you need any help in getting IPv6 set up and running don't hesitate
to ask. No firewall or other blocking mechanism has kept me from getting
IPv6 connectivity ;)

>  >>Also, the target of the DoS will just shift with your idea, from the
>  >>end-host to the NAT box that is 'protecting' it. Which in turn make it
>  >>actually harder to work against these attacks. Just read up on some of
>  >>the timelines about attacks against IRC servers. First the targetted the
>  >>irc servers themselves, after that they started dos'sing the links,
>  >>which simply means they will kill of the routers in between the user and
>  >>the server..
> saying dont defend against X because everyone will move to attacking Y
> is bogus.

It's 'bogus' because? I just noted that the attack will move to another
place and in many cases it will be a place which is harder to defend.
Keeping it simple is then better ;)

>  >>There is no real magic bullet. Law and especially enforcement is one of
>  >>the few things that might help a bit, but that is not something we might
>  >>want to see from the e2e point of view.
> gosh, we have law already and its working so well isnt it:)

Note the 'especially' in that sentence, the enforcement is not there and
if it was it would be made corrupt next to limitting freedom which is
not what is wanted either. But that is politics, not technicallities and
I don't like the first ;)

> i didnt say this was a magic bullet - i said it was an idea for
> defending against a specific problem. yes there are many problems and
> the design space for solutions is multi-faceted.
> security people love to attack things - i disdain that- i like to
> defend things:)

But having to build defense upon defense, which is what you want to do
by shifting the problem, is certainly not going to help. It will end up
in a walled garden with mostly walls and not garden. It will keep you
defending but I am pretty sure you'd rather sit on a lazy couch or do
something else than keeping an eye out all the time. Of course from a
research/work perspective it is fun but is it worth the effort? Better
have something really good which can't be broken/circumvented too
easily. In this problem space though, having legit traffic already
breaks most of the solutions. But keep ideas coming of course, it might
be that something gives somebody a great idea which does solve a large
part of the problem. I am unfortunately quite a bit on the pessimistic
side when it comes to (d)dos solvers, could be because of the amounts of
traffic I have seen coming in after some 14 year old didn't get what he
wanted and forgot to stop that part of the botnet when his mom called
for dinner...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: This is a digitally signed message part
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060214/5237936c/attachment-0001.bin

More information about the end2end-interest mailing list