[e2e] DDoS attack vs. Spoofing of Source Address

rishi jethwa rishi_jethwa at hotmail.com
Wed Jan 18 07:09:14 PST 2006 

Hi there,

Since I did my Thesis in preventing DoS n DDoS attacks I would like to add 
my comments to this issue.

First of all no attack is complete and no defense mechanism is complete.
The most prevalent attacking category as of today is one that fits into 
packet flooding category.
Even if the victim firewall or its first hop router has all the intelligence 
of the universe to defeat DoS n DDoS attacks, at one stage it will not be 
able to cop up with the attacker's floods intensity. All the attacker has to 
do is to increase the intensity. I mean to say if thousands of people arrive 
at the local drug store asking for bread, at one stage it will be impossible 
for a legitimate user to get asprin.

1) Is it a big requirement that the source address of the packet should
be authentic?
A) In his paper on TCP/IP weakness Moris said that the main weakness of this 
protocol is that the source host itself fills the source address and there 
is no provision in TCP/IP protocol stack to validate it. This spoofing and 
DoS problem would be completely solved if all the routers in the internet 
would employ ingress filtering. But as of now there is no general consensus 
on employing ingress filtering. All they want is to concentrate on effciency 
of moving packets.

2) Is current deployed mechanisms (mainly ingress filtering, and uRPF) 
working well enough?
A) If all the routers in the internet would employ ingress filtering, DoS 
attacks can be mitigated. Also the router can now easily identify the source 
of the attack and stop it from doing that. I have no idea what uRPF is.

3)1) What's the situation of the DDoS attack nowadays? Is spoofing of
    source address still a major reason for the DDoS attack?
A) The computer industry has made a lot of advancement in combating DoS 
attack but at the same time even the attackers are geting more 
sophisticated. Yes, spoofing is the main reason for the presense of DoS 
attack. Also when the attacker spoofs the source address they do not use the 
same address, I mean if they send 1000 packets, all or many of them would 
have different IP address, making it difficult for the Victim router or 
firewall to block any particular IP address. Also even if I know that the 
flood is coming from this IPaddress and even if I block it, but to block it 
I have to check it till LAYER 3 to see the IP address and then discard it. 
In doing so I have already spend my time n processing power, thats what 
attackers want.

4) If most of DDoS attack has shift from using spoofing of source address to
    using botnets, why such shift happens?
A) if botnets u taking about is same as zombies, then see, the impact of the 
attack would be definately more if the flooding intensity is more. I have 
even read papers that describes the attack on some prominent webstite that 
has involved hundres of zombies.

5) Is it easier to handle DDoS attack if the source address in the packet
    is authentic?
A) Even our SBC telephone network is not able to handle the traffic on 
mother's day. You  got the answer? Every thing has a limit and maximum 
processing capability. If I can only serve 10 legitimate user per second and 
if 50 users are arriving per second, then its DoS for 40 of them.

As I was talking all the attack wants is to overwhelm the victim firewall, 
router or subnet to such an extent that eventually no legitimate packet 
reaches the victim. And If I would be the attacker, I would prefer to use 
UDP traffic, which can do the same thing, eat up the bandwidth and 
processing power.


My Thesis topic was "Sabotashing a Trusted Relationship: A Novel DoS 
attack". I have also proposed a reliable solution to defeat such attacks. My 
thesis report would answer all of your questions in detail. It also talks 
about the present attack types and techniques, current advancements made by 
the computer industry to defeat DoS attacks
If you are interested contact me at rishi_jethwa at yahoo.com.

Regards

Rishi Jethwa
Software Developer

THUMBTECHS CORPORATION
8205 Camp Bowie W #110
Fort Worth, Texas 76116
817.923.2419

More information about the end2end-interest mailing list