[e2e] DDoS attack vs. Spoofing of Source Address

[John Kristoff]

On Wed, 18 Jan 2006 16:45:58 -0800
Joe Touch <touch at ISI.EDU> wrote:

> These slides refer to bogon traffic - with source addresses that are
> reserved (e.g. Martians) or unallocated.  Spoofing a bogon address
> would not be useful (it can be trapped at any router); perhaps you
> meant some other slides?

No I meant those.  Spoofing is spoofing, regardless if it's bogons.
Besides, you just earlier claimed, correctly, that ingress filtering
only works if every router can be trusted to participate, but they
can't and we have proof that many not so insignificant networks are
forwarding spoofed packets.  So bogon filtering can be just as useful
to an attacker as an assigned and in-use spoofed address.  :-)

However, in my experience, the use of local /24 netblock spoofing is
commonly used if packets are spoofed at all.

I guess I needed to stipulate that these were bogons and that those
slides indicated that bogon spoofing was on the wane.  I couldn't
think of any other publicly available resource that documented spoofing
in general has declined, but in my experience and in talking with other
operators, I believe in general it has.  I would venture to guess that
the percentage in that slide is probably accurate not just for bogon
spoofing statistics, but spoofing in general.  That is, less than
20% or even less than 15% of attacks these days are spoofing addresses.

It may be more interesting that attackers don't bother spoofing more.
The explanation is relatively simple though, they don't really need
to.  DoS agents are a dime a dozen, literally.  It's a shame why they
don't need to, but it highlights the diminishing marginal returns of
fixing spoofing.

John