Forwarded from: Russell Coker <russellat_private> On Fri, 12 Apr 2002 10:02, you wrote: > become so overwhelmed with traffic that they crash. Micah Adler, an > assistant professor at the University of Massachusetts Department of > Computer Science, has developed a new technique for determining the > source of such an attack that requires only adding a single bit of > information to messages sent across the Internet. Of course if everyone put filters on their edge routers that prevented their customers from faking source IP addresses then it would be much easier to identify the attacker, and would make it possible to filter the attacks out (if the attack starts at 6PM local time for the attacker then you have no chance of getting the local administrator to do anything for more than 12 hours), core routers don't get filters, so you must be able to filter what you receive. Also big ISPs are very wary of making any changes to core routers. Getting them to replace the firmware with a new version that has a major new feature such as this enabled will be next to impossible. Finally tracking the source machine after a large volume of traffic does you no good at all if it's just a trojaned Windows box. Preventing DDOS attacks requires the ability to filter out the trojaned Windows machines as fast as they get deployed, if you can't filter out a new attacker in less than 5 minutes after they start attacking then you have no hope of stopping the smallest DDOS. Let's assume that we are able to make a list of attacking machines fast enough to keep up with the new supply (this may be impossible, but let's assume it isn't for the sake of discussion). What do we do next? Wait until we have a few thousand IP addresses of Windows machines in the router config and it can't handle the filtering load and melts down? Currently we have a serious problem of people crying-wolf about network attacks. Idiots buy so-called security software for their Windows PCs which alerts them every time a strange packet hits their machine and they start phoning and emailing ISPs about it. Dealing with these people is a waste of time, and because of it large ISPs have special groups of help-desk people to deal with such issues. The result is that the only form of network abuse that will be dealt with is SPAM. Anything else will never be forwarded to the people who are able to do anything about it (a common proceedure for such situations is to tell the complainant that the account has already been cancelled to stop them bothering the help-desk again). In conclusion I think that this method for determining the source is a solution looking for a suitable problem, and that tracking and stopping "internet vandals" will not be possible until people get some clues. Russell Coker - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Apr 13 2002 - 03:19:05 PDT