[e2e] DDoS attack vs. Spoofing of Source Address

Jon Crowcroft Jon.Crowcroft at cl.cam.ac.uk
Wed Jan 18 03:51:54 PST 2006 

right-
if you rent-a-bot farm , its a whole lot easier to script them with
attacks that i) use the 0wned medchines real addresses and ii) use
"normal" looking traffic... breaking either of these rules is going to
make detecting the bot farm a whole lot easier which leads to it a)
being closed down and b) potentially the bot-0wners being caught (esp.
if their control traffic is traceable, which it sometimes is
surprisingly easily...

for info:

there's a programme of work that UCL, Cambridge and MIT are engaged in
looking at this whole space

togther with folks from the London Internet Neutral Exchange
and a lot of industry players (providers, router vendors, user
companies - more info at

http://www.communicationsresearch.net/dos-resistant/

two common defenses are ok for larger companies, but don't address the
needs of smaller sites -  putting your server on a load balanced site
so that requests have to go via a proxy/front end that fans out the
requests to many well provisioned servers, and the front end is itself
on an overprovisioned link is one trick - essentially if you put such
a redirector behind a 10Gbps link, few attacks can take it out, and it
can normalise traffic and do a ferw other sdanity checks (supress or
delay duplicaes etc) - doing this to your web service itself only
(withotu redirector) and putting a hefty packet scrubber in front will
mitigate things a bit but as you;'ve pointed out, with a "well formed"
attack, it can't do so much

various techniques to push back filters towards sources don't work
fast enough for really large bot armies and someonewill eventally
write something polymorphic enough trhat the traffic wil lbe well
formed and a subset of real traffic in a manner that can't easily be
filtered safely (to the real bot machines owner:)

architectural changes to IP have been suggested but are hard to deploy
near/medium term

fixing host OSs so vulnerabilities are reduced or outbound traffic
patterns is  controlled through inverse firewall rules is also good

detecting control traffic and pre-empting is a good thing

legal and economic measures to create incentives to make OS vendor,
host owner and isp owners take more care also contribute

like spam, dos attacks are a complex problem space not amenable to
point solutions, (at least not without turning off the usefuless of
the internet:), but a raft of soultions are (anecdotally) making some
headway against the problem recently slowly....of course its just an
arms race...

In missive <DAC3FCB50E31C54987CD10797DA511BA12EFB848 at WIN-MSG-10.wingroup.windep
loy.ntdev.microsoft.com>, "Christian Huitema" typed:

 >>> > 2) If most of DDoS attack has shift from using spoofing of source
 >>> > address to using botnets, why such shift happens?
 >>> ...
 >>>
 >>> The ingress filtering solved part of the problem, but the real item is
 >>> really that it is much more reliable to use non-spoofed addresses.
 >>> Especially as botnets average around 500k hosts for the larget
 >>> botnetwors, it is so easy to cripple a network that they really can't
 >>be
 >>> bothered trying to figure out if a network is allowing spoofed
 >>addresses
 >>> or not.
 >>
 >>It is also much harder to defend the host against a non spoofed attack.
 >>The spoofed attacks have to be dumb: send single packets, don't expect a
 >>response, don't establish a session. Such single packets are relatively
 >>easy to filter. Even SYN packets can be dealt with efficiently. The
 >>attacker can thus only mount a bandwidth attack, trying to saturate the
 >>link to the server. This is doable, but requires a massive amount of
 >>traffic, which increases the chances of detection.
 >>
 >>On the other hand, if the address is not spoofed, the attack can mimick
 >>a completely authorized traffic, e.g. load the home page of
 >>"http://www.example.com/". You can do even better by loading a page that
 >>requires extensive computation, e.g. "https://www.example.com/". Let a
 >>botnet repeat that a few thousand times per second, and the server at
 >>"www.example.com" will start sweating bullets.
 >>
 >>-- Christian Huitema

 cheers

   jon

More information about the end2end-interest mailing list