[e2e] DDoS attack vs. Spoofing of Source Address
huitema at windows.microsoft.com
Tue Jan 17 21:39:55 PST 2006
> > 2) If most of DDoS attack has shift from using spoofing of source
> > address to using botnets, why such shift happens?
> The ingress filtering solved part of the problem, but the real item is
> really that it is much more reliable to use non-spoofed addresses.
> Especially as botnets average around 500k hosts for the larget
> botnetwors, it is so easy to cripple a network that they really can't
> bothered trying to figure out if a network is allowing spoofed
> or not.
It is also much harder to defend the host against a non spoofed attack.
The spoofed attacks have to be dumb: send single packets, don't expect a
response, don't establish a session. Such single packets are relatively
easy to filter. Even SYN packets can be dealt with efficiently. The
attacker can thus only mount a bandwidth attack, trying to saturate the
link to the server. This is doable, but requires a massive amount of
traffic, which increases the chances of detection.
On the other hand, if the address is not spoofed, the attack can mimick
a completely authorized traffic, e.g. load the home page of
"http://www.example.com/". You can do even better by loading a page that
requires extensive computation, e.g. "https://www.example.com/". Let a
botnet repeat that a few thousand times per second, and the server at
"www.example.com" will start sweating bullets.
-- Christian Huitema
More information about the end2end-interest