[e2e] DDoS attack vs. Spoofing of Source Address

Zhang Miao zm at cernet.edu.cn
Tue Jan 17 17:41:09 PST 2006 

Hi, Jeroen

thanks a lot for your answers.

I just want to add one more question: 

    How to evaluate the situation of spoofing of source address in the
    current Internet? 

1) Is it a big requirement that the source address of the packet should
   be authentic? 
   first, is it the spoofing of source address a serious problem for the
   current Internet.
   Second, considering the possible investment to provide source address
   validation, e.g., deploying ingress filter, is it worth to make such
   investment?

2) Is current deployed mechanisms (mainly ingress filtering, and uRPF)
   working well enough? Shall we design and depoloy other mechanisms
   to do source address validation in the Internet?  Here are some 
   works in recent years. I want to get answers from more people.

   [1]   Beverly, R. and S. Bauer, "The spoofer project: inferring the
         extent of source  address filtering on the Internet", USENIX
         SRUTI 2005, 2005.

   [2]   Bremler-Barr, A. and H. Levy, "Spoofing Prevention Method",
         IEEE Infocom 2005, 2005.

   [3]   Park, K. and H. Lee, "On the Effectiveness of Route-Based
         Packet Filtering for  Distributed DoS Attack Prevention in
         Power-Law Internets", ACM Sigcomm 2001, 2001.

   [4]   Li, J., Mirkovic, J., Wang, M., Reiher, P., and L. Zhang,
         "SAVE: Source Address Validity Enforcement Protocol", IEEE
         Infocom 2002, 2002.



thanks

Miao
   

-------Original Message -------------------------------------
From: "Jeroen Massar" <jeroen at unfix.org>
To: "zm at cernet.edu.cn" <zm at cernet.edu.cn>
Sent: 2006-01-18 09:15:00
Subject: Re: [e2e] DDoS attack vs. Spoofing of Source Address

>Zhang Miao wrote:
>> Hi, 
>> 
>> I just have a question related to DDoS Attack and Spoofing of Source Address.
>> 
>> It was common for the DDoS attack to utilize the spoofed source address
>> two years ago. And many people told me, it is botnets the main way
>> to launch DDoS attack, in which source address is not spoofed.
>> 
>> I'm just curious on the following questions:
>> 
>> (1) What's the situation of the DDoS attack nowadays? Is spoofing of 
>>     source address still a major reason for the DDoS attack?
>
>I guess you meant 'still a major part', which it seems not be. Most DDoS
> attacks are simply mounted using a very large amount of real live hosts.
>
>A couple of years ago, when the predominant part of the attacks was
>source based, the attacks where mostly for 'fun' and simply annoying
>people, thus mostly attacks targeted at individuals. Now with
>'organized' (ahem) crime intervening, as there is money to be made from
>it or at least crippling of the competition thus costing them money, the
>attacks are targeted more at businesses and not at a sole person. Though
>of course there will always be person-to-person fights.
>
>> (2) If most of DDoS attack has shift from using spoofing of source address to
>>     using botnets, why such shift happens? 
>>     I suppose two reasons:
>>     1) Ingress filter has been deployed in many ISPs, and attacker feel it's
>>        hard to launch such attack now.
>>     2) It's easier to launch attack with botnets than with spoofed source address.
>>     But I am not sure about it.
>
>The ingress filtering solved part of the problem, but the real item is
>really that it is much more reliable to use non-spoofed addresses.
>Especially as botnets average around 500k hosts for the larget
>botnetwors, it is so easy to cripple a network that they really can't be
>bothered trying to figure out if a network is allowing spoofed addresses
>or not.
>
>That said, there is still a large amount of spoofed packets flying over
>the internet, currently most of these can be seen as UDP packets from
>Bogon address space (see http://www.cymru.com) source port 0,
>destination port 1025 or 1026, which usually has the Messenger Service
>on Windows bound to it, size around 480 bytes. Far from a DDoS but quite
>annoying for people without proper firewalls ;) SMB scans (port 137-139)
>are also quite normal it seems. See the Internet Storm Center
>(http://isc.sans.org) for more of those.
>
>> (3) Is it easier to handle DDoS attack if the source address in the packet
>>     is authentic?
>
>Yes, because one doesn't need to figure out which source is really
>sending it. Filtering those prefixes thus becomes easier.
>But, the volume and amount of different hosts is so vast that one has to
>block a large amount of hosts to block them all. Also when those hosts
>are blocked, the next botnet is already in place to continue the attack.
>
>It depends a bit on the reason of the attack. If the attack is really
>for monetary gain, mostly for extortion nowadays, then the attacks will
>last till the money is transfered (and the bank + cops follow the money
>trail ;). These attacks will continue till they either give up or get
>caught.
>
>Also a very interesting new trend is to use protocol 41 tunnels (IPv6 in
>IPv4) as a covert channel, or even as a way to inject packets into
>tunnel streams. Protocol-41 gets ignored by many firewall products and
>can be spoofed exceptionally well when a misconfigured tunneling router
>is found (and there are too many of those apparently).
>
>Greets,
> Jeroen

= = = = = = = = = = = = = = = = = = = =

*****************************************************************
*    Zhang Miao                                                 *
*    Ph.D, Assistant Professor, Network Research Center         *
*    Tsinghua University,Beijing,China(100084)                  *
*    Tel: (8610)-62795818-6271                                  *
*    Email: zm at cernet.edu.cn                                 *
*    Web: http://netarchlab.tsinghua.edu.cn/~zm                 *
*****************************************************************

More information about the end2end-interest mailing list