[e2e] DDoS attack vs. Spoofing of Source Address

[John Kristoff]

On Wed, 18 Jan 2006 15:09:14 +0000
"rishi jethwa" <rishi_jethwa at hotmail.com> wrote:

> This spoofing and  DoS problem would be completely solved
> if all the routers in the internet  would employ ingress filtering.

This is simply not true.  A great number of DoS attacks currently do
not spoof their source address and even those that do often only spoof
within the local /24 netblock.

> But as of now there is no general consensus  on employing ingress
> filtering. All they want is to concentrate on effciency  of moving
> packets.

Actually I think there is consensus that anti-spoof filtering is
generally a good idea, but the reason it isn't ubiquitous is usually
because of practical limitations (e.g. equipment support and complex
network configurations).

> A) If all the routers in the internet would employ ingress filtering,
> DoS  attacks can be mitigated. Also the router can now easily identify
> the source  of the attack and stop it from doing that. I have no idea
> what uRPF is.

With all due respect, for someone who did their thesis on DoS attacks,
I am disappointed by your answers thus far.

uRPF stands for unicast reverse path check.  In a nutshell, when a
packet arrives on an interface, if uRPF is enabled, the router can
perform a check to verify whether the best (or in some configurations
a feasible) path back to the source is back out that ingress interface.
If it is, then the packet is allowed to be forwarded, otherwise it is
filtered.

> Yes, spoofing is the main reason for the presense of DoS  attack.

Again, not true.  In, spoofing appears to have waned considerably
over the past few years.  Here is just one confirmation of that (see
slide number 3):

  <http://www.nanog.org/mtg-0501/deitrich.html>

> My Thesis topic was "Sabotashing a Trusted Relationship: A Novel DoS 
> attack". I have also proposed a reliable solution to defeat such
> attacks.

Hmmm...

John