RE: DoS

From: Heidi (mcps@private)
Date: Tue Nov 06 2001 - 08:14:39 PST

Next message: Heidi: "fire damage/data recovery"

Previous message: The Berean: "Providing security of specific files on a Web server"
In reply to: Crispin Cowan: "Re: DoS"
Next in thread: Robert Martin: "Re: DoS"
Reply: Robert Martin: "Re: DoS"
Reply: Crispin Cowan: "Re: DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thank you Crispin,

If this is the case, then perhaps all ISPs should be required to filter
outbound datagrams that have source addresses corresponding to external
networks.  Thanks for the info....Heidi

-----Original Message-----
From: Crispin Cowan [mailto:crispin@private]
Sent: Wednesday, November 07, 2001 2:49 AM
To: Heidi
Cc: CRIME
Subject: Re: DoS


Heidi wrote:

>This sounds like what I was discussing about stopping the attack before it
>reaches the intended target.  Heidi
>
>
>Projects Agency (DARPA), security technology firm Cs3 is looking at the
>concept of reverse firewalling, or keeping the flood of data from a DoS
>attack dammed up at the source.  The Reverse Firewall works by filtering
>the outgoing packets from a network. The difference between a legitimate
>application that uses high bandwidth and a packet flooding attack is
>that, in the former case, the machine at the other end of the
>conversation is participating in a two-way conversation. In the case of
>a DoS attack, the exchange is one sided.  (Source: Vnunet, 6 November)
>
ISPs are already capable of stopping DoS attacks in a similar fashion:
it is called "egress filtering."  It works thusly:

    * DoS zombies invariably spoof the source IP address.  If they did
      not, they would be very easy to trace and shut down.
    * An ISPs boarder router can detect spoofed source IP addresses,
      because the router will see packets appearing on the "inside"
      interface with IP addresses that belong to the "outside." Most
      modern routers (pretty much all modern routers) are capable of
      being configured to drop such packets.
    * The main barrier to this defense is:
          * ISPs who cannot be bothered to police their own networks
          * hosts on non-ISP networks, i.e. college campuses

I see very little advantage to the Cs3 scheme described above. The
primary advantage (which they do not discuss) would be if configuration
management was somehow easier in the Cs3 scheme.  This is plausible, as
the Cs3 machine need not be configured to know what the "inside" and
"outside" address ranges should be. However, this is a pretty marginal
advantage, because:

    * boarder routers need to know the "inside" and "outside" address
      ranges anyways
    * an ISP that cannot be bothered to police their own networks when
      it is easy is not very likely to buy a new product to police their
      own network

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: Heidi: "fire damage/data recovery"
Previous message: The Berean: "Providing security of specific files on a Web server"
In reply to: Crispin Cowan: "Re: DoS"
Next in thread: Robert Martin: "Re: DoS"
Reply: Robert Martin: "Re: DoS"
Reply: Crispin Cowan: "Re: DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:30:18 PDT