[e2e] DDoS attack vs. Spoofing of Source Address
rishi_jethwa at hotmail.com
Wed Jan 18 07:09:14 PST 2006
Since I did my Thesis in preventing DoS n DDoS attacks I would like to add
my comments to this issue.
First of all no attack is complete and no defense mechanism is complete.
The most prevalent attacking category as of today is one that fits into
packet flooding category.
Even if the victim firewall or its first hop router has all the intelligence
of the universe to defeat DoS n DDoS attacks, at one stage it will not be
able to cop up with the attacker's floods intensity. All the attacker has to
do is to increase the intensity. I mean to say if thousands of people arrive
at the local drug store asking for bread, at one stage it will be impossible
for a legitimate user to get asprin.
1) Is it a big requirement that the source address of the packet should
A) In his paper on TCP/IP weakness Moris said that the main weakness of this
protocol is that the source host itself fills the source address and there
is no provision in TCP/IP protocol stack to validate it. This spoofing and
DoS problem would be completely solved if all the routers in the internet
would employ ingress filtering. But as of now there is no general consensus
on employing ingress filtering. All they want is to concentrate on effciency
of moving packets.
2) Is current deployed mechanisms (mainly ingress filtering, and uRPF)
working well enough?
A) If all the routers in the internet would employ ingress filtering, DoS
attacks can be mitigated. Also the router can now easily identify the source
of the attack and stop it from doing that. I have no idea what uRPF is.
3)1) What's the situation of the DDoS attack nowadays? Is spoofing of
source address still a major reason for the DDoS attack?
A) The computer industry has made a lot of advancement in combating DoS
attack but at the same time even the attackers are geting more
sophisticated. Yes, spoofing is the main reason for the presense of DoS
attack. Also when the attacker spoofs the source address they do not use the
same address, I mean if they send 1000 packets, all or many of them would
have different IP address, making it difficult for the Victim router or
firewall to block any particular IP address. Also even if I know that the
flood is coming from this IPaddress and even if I block it, but to block it
I have to check it till LAYER 3 to see the IP address and then discard it.
In doing so I have already spend my time n processing power, thats what
4) If most of DDoS attack has shift from using spoofing of source address to
using botnets, why such shift happens?
A) if botnets u taking about is same as zombies, then see, the impact of the
attack would be definately more if the flooding intensity is more. I have
even read papers that describes the attack on some prominent webstite that
has involved hundres of zombies.
5) Is it easier to handle DDoS attack if the source address in the packet
A) Even our SBC telephone network is not able to handle the traffic on
mother's day. You got the answer? Every thing has a limit and maximum
processing capability. If I can only serve 10 legitimate user per second and
if 50 users are arriving per second, then its DoS for 40 of them.
As I was talking all the attack wants is to overwhelm the victim firewall,
router or subnet to such an extent that eventually no legitimate packet
reaches the victim. And If I would be the attacker, I would prefer to use
UDP traffic, which can do the same thing, eat up the bandwidth and
My Thesis topic was "Sabotashing a Trusted Relationship: A Novel DoS
attack". I have also proposed a reliable solution to defeat such attacks. My
thesis report would answer all of your questions in detail. It also talks
about the present attack types and techniques, current advancements made by
the computer industry to defeat DoS attacks
If you are interested contact me at rishi_jethwa at yahoo.com.
8205 Camp Bowie W #110
Fort Worth, Texas 76116
More information about the end2end-interest