I'll summarize many responses my proposal has have and give my thoughts about each one. Sorry for not been able to answer each one individually. Not enought time ;-) Let me first state that this was never meant to be a cure for every situation. I think is only feasible in particular cases. I do agree with most posts stating that to really solve DDOS we must attack the problem at its roots: egress filtering. My proposal aimes to help the ones that are being attacked. Renaud Deraison <deraisonat_private> said: > In order to be ready to a massive DDOS attack, example.com should > change its network structure to something like: > > +--------------+ > +----e-----+ stub network | > | +--------------+ > +--------+ | > -a--| | | +---------------+ > | | | | | +-----------------+ > -b--| ISP +f+---d------+ example.com's +-----+ www.example.com | > | | | border router | +-----------------+ > -c--| | +---------------+ \ > +--------+ \ 10.0.0.2 and 10.0.1.2 > 10.0.0.1 and 10.0.1.1 If example.com is flooded with bogus network traffic (say, lots of TCP RST) , then the link "f" that I added on your map will be flooded anyway. So neither the stub network or example.com's border router will receive all the data they should receive. So the attack is still active. ---> Answer: it was just a graphic mistake. E and d should be absolutely independent links. ======================================================= Andreas Bogk <andreasat_private> said: > The proposed technique is about changing the IP addresses of the hosts > being attacked and diverting the IP block under attack to a stub network > where traffic can be analyzed to track it down, or just dropped. This will not help, as the ISPs border router is still flooded. You could drop the BGP route for that network, but that is highly undesirable: you would end up needing one BGP advertisement per "important" server. ---> Answer: this solution is intendeed to site's whose ISP has multiple links. Hopefully, the ISP total bandwidth is several times the bandwidth it sells to its customer, and it uses some kind of traffic shaping for each customer at the other end of its links, so he could survive the attack. If the ISP can't survive the attack, neither can its customers. And BGP routes are a scarce resource, since they cost RAM in everybody's border router: usually ASen try hard to announce as few of them as possible, some aggregate all of their space to a single announcement. ---> Answer: you would have to spend some resources in order to get protection. ISP can aggregate routes at its borders, so nobody knows that the route has been dropped (this is usefull is the ISP can survive the attack) or can advertise each involved network separatedly. The last option has the disadvantage you pointed out, but the advantage of traffic being dispersed nearer its origin. ============================================ Many pointed out thinks like: DNS records aren't instantly propogated to everyone (because of the TTL). How do you make sure that clients are diverted to the proper website? ---> Answer: Of course you have to use 0 (or very small) TTL DNS records. Remember RFC 1034: "[...] a zero TTL prohibits caching [...]". =========================================== David Brumley <dbrumleyat_private> said: If the DDOS attack was targeted at the router one hop before the web server, you would have to move the whole subnet. ---> Answer: Yes, you are right. A solution might be for this router no to respond to ICMP or traceroutes, so its IP does not become publicly available. =========================================== Many pointed out: The attacker can switch its attack to the new network. ---> Answer: in this case he is creating a very particular traffic pattern. He will be consulting DNS servers very often. The clients can do it automatically, so surfing logs will show them, or even the 'evil master' behind the attack could make a mistake and consult them often enough. If his software must attack and IP address (not a FQDN) and he has some experience, he will consult DNS from one of the comprised machines, but then again you can track him down from there, as he must use real IPs to get to that machine. =========================================================== Felix von Leitner <felixat_private> said: DDOS attacks normally saturate a, b and c as well, so this change will only help dial-up users from ISP in general. The DDOS attacks that struck Germany so far have always taken the whole ISP with them. ---> Answer: I'd really like to know if during these attacks ISP was appling bandwidth limiting to the customer being flooded on the other side of each of its Internet links. Fernando P. Schapachnik Administración de la red VIA NET.WORKS ARGENTINA S.A. fernando@via-net-works.net.ar (54-11) 4323-3333
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:17 PDT