[e2e] DDoS attack vs. Spoofing of Source Address
fred at cisco.com
Thu Jan 19 16:43:23 PST 2006
Your first point is valid, but yet we see spoofing in the network -
less than a while back, but still a lot. Ingress Filtering has value
in limiting spoofing, and while yes it helps the customers of other
networks, it also helps the customers of my network, which I will
argue is my incentive to deploy it. In limiting spoofing, I partially
mitigate certain classes of attacks as close to their source as I can
Note that managing ddos attacks is never a matter of applying one
golden tool and suddenly they all go away; rather, we identify high
percentage solutions to specific attacks ("gee, this ddos seems to be
a whole lot of folks starting to download the home page and then
going away; lets change the URL of the web page and reply to the
download request with a simple response that redirects the requester
to it. Maybe the bogons won't follow.") and apply them.
I don't see people focusing on spoofing per se. I do see them using
anti-spoof measures as one of the armaments in their arsenal.
On Jan 19, 2006, at 1:55 PM, John Kristoff wrote:
> On Thu, Jan 19, 2006 at 12:23:27PM -0800, Joe Touch wrote:
>>> Many DoS agents have had the ability to randomly fake the source
>>> address and of course they commonly come up with a "bogon".
>> Sure. That sounds more like a bug in their source address checking
> If I was to think as an attacker, why would I spend my effort writing
> perfect spoofing code when it is clearly not necessary for my attacks
> to be effective. Likewise, if I'm one trying to mitigate the attacks,
> why would I focus on trying to stop spoofing?
More information about the end2end-interest