[e2e] DDoS attack vs. Spoofing of Source Address

Tue Jan 17 17:15:00 PST 2006

Zhang Miao wrote:
> Hi, 
> 
> I just have a question related to DDoS Attack and Spoofing of Source Address.
> 
> It was common for the DDoS attack to utilize the spoofed source address
> two years ago. And many people told me, it is botnets the main way
> to launch DDoS attack, in which source address is not spoofed.
> 
> I'm just curious on the following questions:
> 
> (1) What's the situation of the DDoS attack nowadays? Is spoofing of 
>     source address still a major reason for the DDoS attack?

I guess you meant 'still a major part', which it seems not be. Most DDoS
 attacks are simply mounted using a very large amount of real live hosts.

A couple of years ago, when the predominant part of the attacks was
source based, the attacks where mostly for 'fun' and simply annoying
people, thus mostly attacks targeted at individuals. Now with
'organized' (ahem) crime intervening, as there is money to be made from
it or at least crippling of the competition thus costing them money, the
attacks are targeted more at businesses and not at a sole person. Though
of course there will always be person-to-person fights.

> (2) If most of DDoS attack has shift from using spoofing of source address to
>     using botnets, why such shift happens? 
>     I suppose two reasons:
>     1) Ingress filter has been deployed in many ISPs, and attacker feel it's
>        hard to launch such attack now.
>     2) It's easier to launch attack with botnets than with spoofed source address.
>     But I am not sure about it.

The ingress filtering solved part of the problem, but the real item is
really that it is much more reliable to use non-spoofed addresses.
Especially as botnets average around 500k hosts for the larget
botnetwors, it is so easy to cripple a network that they really can't be
bothered trying to figure out if a network is allowing spoofed addresses
or not.

That said, there is still a large amount of spoofed packets flying over
the internet, currently most of these can be seen as UDP packets from
Bogon address space (see http://www.cymru.com) source port 0,
destination port 1025 or 1026, which usually has the Messenger Service
on Windows bound to it, size around 480 bytes. Far from a DDoS but quite
annoying for people without proper firewalls ;) SMB scans (port 137-139)
are also quite normal it seems. See the Internet Storm Center
(http://isc.sans.org) for more of those.

> (3) Is it easier to handle DDoS attack if the source address in the packet
>     is authentic?

Yes, because one doesn't need to figure out which source is really
sending it. Filtering those prefixes thus becomes easier.
But, the volume and amount of different hosts is so vast that one has to
block a large amount of hosts to block them all. Also when those hosts
are blocked, the next botnet is already in place to continue the attack.

It depends a bit on the reason of the attack. If the attack is really
for monetary gain, mostly for extortion nowadays, then the attacks will
last till the money is transfered (and the bank + cops follow the money
trail ;). These attacks will continue till they either give up or get
caught.

Also a very interesting new trend is to use protocol 41 tunnels (IPv6 in
IPv4) as a covert channel, or even as a way to inject packets into
tunnel streams. Protocol-41 gets ignored by many firewall products and
can be spoofed exceptionally well when a misconfigured tunneling router
is found (and there are too many of those apparently).

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 238 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060118/f4e789b3/signature.bin