[e2e] DDoS attack vs. Spoofing of Source Address

Jeroen Massar jeroen at unfix.org
Tue Jan 17 18:11:07 PST 2006 

Zhang Miao wrote:
> Hi, Jeroen
> 
> thanks a lot for your answers.
> 
> I just want to add one more question: 
> 
>     How to evaluate the situation of spoofing of source address in the
>     current Internet? 
> 
> 1) Is it a big requirement that the source address of the packet should
>    be authentic? 

Depends completely on what purpose one is using a network for. If one
doesn't require any communication to be sent back to the source address
then it doesn't have to be, neither if one doesn't assume any validity
based on this address. But then one could do without the source address
completely too. If one depends on the source address to be also the
sender of the packet one is receiving then it is almost crucial to be
able to make this assertion. Mechanisms like IPSEC can help out to solve
this part of the puzzle though.

>    first, is it the spoofing of source address a serious problem for the
>    current Internet.

The biggest issue with spoofed addresses is that it doesn't allow one to
find the culprit easily who is sending these packets, unless doing some
digging. Especially when sending a small volume of small packets,
tracing them down to the real origin becomes a hard task, even more when
operators are not available, pre-occupied with other problems or when
there are language or political barriers. Transit providers for instance
 will help you out to resolve these issues, though it would be in their
interest to actually deliver these packets as you are paying for them.

There are also places where spoofed packets can be handy, especially for
research, eg:
http://www.ripe.net/ripe/meetings/ripe-47/presentations/ripe47-ipv6-tunnel-disco.pdf
Where injecting packets from spoofed addresses, which are the tunnel
endpoints, can be used to discover IPv6 tunnels, though one has to have
a pre-knowledge of the tunnel endpoints in this case taken from the
6bone registry.

The above method can also be used for not so nice tasks, as the source
IP is the only security assertion for IPv6 tunnels (proto-41) one can
easily abuse most 6to4 relays as an anonymous relay. Just send the
spoofed packets and the relay will properly relay it and those packets
are virtually untraceable. Having ingress filtering is a requirement for
this setup to counter this problem. proto-41 tunneling could have been
made more secure by using some security token, but this is nearly
impossible especially as there is no global PKI, let alone one which can
bootstrap automatically to be used by hosts without any intervention.

>    Second, considering the possible investment to provide source address
>    validation, e.g., deploying ingress filter, is it worth to make such
>    investment?

The investment mostly comes in the form of hardware upgrades. Most
hardware does support it, but it of course requires the correct version
to do it. Some hardware can't do it at line rate and other
implementations don't at all and thus need to be replaced completely to
support it.

There are few setups (eg satelite links) which have asymmetrical paths.
In these cases one doesn't have to specifically define a filter, but a
filter on the prefix from the up/downstream provider is already good enough.

Filtering as close as possible to the origin is already great and
usually inexpensive (cash, cpu and hardware wise) way to do this, it
also limits the attack vector.

Many ISP's though simply don't filter as they claim their hardware can't
handle it. Others don't realize the importance until they get hit by a
DDoS or other ISP's start depeering them because of their negligence.

> 2) Is current deployed mechanisms (mainly ingress filtering, and uRPF)
>    working well enough?

They work as long as the complete network uses them. When a trusted
source is not using them the scheme falls over. At least in these cases
one can trace it to this link based on traffic graphs, netflow data and
other more 'expensive' sources.

> Shall we design and deploy other mechanisms
>    to do source address validation in the Internet?

uRPF and ingress filtering already suffice sufficiently. At the moment
most DDoS attacks (afaik) are not using spoofing attacks any more due to
the easy way to get a large amount of zombie hosts which can do damage
easily and for a small price. The biggest requirement and wish list here
is most likely to be able to convince network operators to actually
implement and update these filters properly.

One method that works quite well, but would still require that the
packet is verified at every hop, which is something that was tried to be
avoided in IPv6 and something which will not be done in general due to
the computational overhead would be verifying IPSEC headers on every
host. Having prefix filters is then a much much much cheaper method.

>    Here are some
>    works in recent years. I want to get answers from more people.

Possibly an interesting related paper:
http://www.caida.org/outreach/papers/2006/backscatter_dos/backscatter_dos.pdf
CAIDA has a large number of good papers on this subject, thus you might
want to look around on their site: http://www.caida.org/

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 238 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060118/3f7d3e74/signature.bin

More information about the end2end-interest mailing list