[e2e] DDoS attack vs. Spoofing of Source Address
zm at cernet.edu.cn
Tue Jan 17 17:41:09 PST 2006
thanks a lot for your answers.
I just want to add one more question:
How to evaluate the situation of spoofing of source address in the
1) Is it a big requirement that the source address of the packet should
first, is it the spoofing of source address a serious problem for the
Second, considering the possible investment to provide source address
validation, e.g., deploying ingress filter, is it worth to make such
2) Is current deployed mechanisms (mainly ingress filtering, and uRPF)
working well enough? Shall we design and depoloy other mechanisms
to do source address validation in the Internet? Here are some
works in recent years. I want to get answers from more people.
 Beverly, R. and S. Bauer, "The spoofer project: inferring the
extent of source address filtering on the Internet", USENIX
SRUTI 2005, 2005.
 Bremler-Barr, A. and H. Levy, "Spoofing Prevention Method",
IEEE Infocom 2005, 2005.
 Park, K. and H. Lee, "On the Effectiveness of Route-Based
Packet Filtering for Distributed DoS Attack Prevention in
Power-Law Internets", ACM Sigcomm 2001, 2001.
 Li, J., Mirkovic, J., Wang, M., Reiher, P., and L. Zhang,
"SAVE: Source Address Validity Enforcement Protocol", IEEE
Infocom 2002, 2002.
-------Original Message -------------------------------------
From: "Jeroen Massar" <jeroen at unfix.org>
To: "zm at cernet.edu.cn" <zm at cernet.edu.cn>
Sent: 2006-01-18 09:15:00
Subject: Re: [e2e] DDoS attack vs. Spoofing of Source Address
>Zhang Miao wrote:
>> I just have a question related to DDoS Attack and Spoofing of Source Address.
>> It was common for the DDoS attack to utilize the spoofed source address
>> two years ago. And many people told me, it is botnets the main way
>> to launch DDoS attack, in which source address is not spoofed.
>> I'm just curious on the following questions:
>> (1) What's the situation of the DDoS attack nowadays? Is spoofing of
>> source address still a major reason for the DDoS attack?
>I guess you meant 'still a major part', which it seems not be. Most DDoS
> attacks are simply mounted using a very large amount of real live hosts.
>A couple of years ago, when the predominant part of the attacks was
>source based, the attacks where mostly for 'fun' and simply annoying
>people, thus mostly attacks targeted at individuals. Now with
>'organized' (ahem) crime intervening, as there is money to be made from
>it or at least crippling of the competition thus costing them money, the
>attacks are targeted more at businesses and not at a sole person. Though
>of course there will always be person-to-person fights.
>> (2) If most of DDoS attack has shift from using spoofing of source address to
>> using botnets, why such shift happens?
>> I suppose two reasons:
>> 1) Ingress filter has been deployed in many ISPs, and attacker feel it's
>> hard to launch such attack now.
>> 2) It's easier to launch attack with botnets than with spoofed source address.
>> But I am not sure about it.
>The ingress filtering solved part of the problem, but the real item is
>really that it is much more reliable to use non-spoofed addresses.
>Especially as botnets average around 500k hosts for the larget
>botnetwors, it is so easy to cripple a network that they really can't be
>bothered trying to figure out if a network is allowing spoofed addresses
>That said, there is still a large amount of spoofed packets flying over
>the internet, currently most of these can be seen as UDP packets from
>Bogon address space (see http://www.cymru.com) source port 0,
>destination port 1025 or 1026, which usually has the Messenger Service
>on Windows bound to it, size around 480 bytes. Far from a DDoS but quite
>annoying for people without proper firewalls ;) SMB scans (port 137-139)
>are also quite normal it seems. See the Internet Storm Center
>(http://isc.sans.org) for more of those.
>> (3) Is it easier to handle DDoS attack if the source address in the packet
>> is authentic?
>Yes, because one doesn't need to figure out which source is really
>sending it. Filtering those prefixes thus becomes easier.
>But, the volume and amount of different hosts is so vast that one has to
>block a large amount of hosts to block them all. Also when those hosts
>are blocked, the next botnet is already in place to continue the attack.
>It depends a bit on the reason of the attack. If the attack is really
>for monetary gain, mostly for extortion nowadays, then the attacks will
>last till the money is transfered (and the bank + cops follow the money
>trail ;). These attacks will continue till they either give up or get
>Also a very interesting new trend is to use protocol 41 tunnels (IPv6 in
>IPv4) as a covert channel, or even as a way to inject packets into
>tunnel streams. Protocol-41 gets ignored by many firewall products and
>can be spoofed exceptionally well when a misconfigured tunneling router
>is found (and there are too many of those apparently).
= = = = = = = = = = = = = = = = = = = =
* Zhang Miao *
* Ph.D, Assistant Professor, Network Research Center *
* Tsinghua University,Beijing,China(100084) *
* Tel: (8610)-62795818-6271 *
* Email: zm at cernet.edu.cn *
* Web: http://netarchlab.tsinghua.edu.cn/~zm *
More information about the end2end-interest