Thank you Crispin, If this is the case, then perhaps all ISPs should be required to filter outbound datagrams that have source addresses corresponding to external networks. Thanks for the info....Heidi -----Original Message----- From: Crispin Cowan [mailto:crispin@private] Sent: Wednesday, November 07, 2001 2:49 AM To: Heidi Cc: CRIME Subject: Re: DoS Heidi wrote: >This sounds like what I was discussing about stopping the attack before it >reaches the intended target. Heidi > > >Projects Agency (DARPA), security technology firm Cs3 is looking at the >concept of reverse firewalling, or keeping the flood of data from a DoS >attack dammed up at the source. The Reverse Firewall works by filtering >the outgoing packets from a network. The difference between a legitimate >application that uses high bandwidth and a packet flooding attack is >that, in the former case, the machine at the other end of the >conversation is participating in a two-way conversation. In the case of >a DoS attack, the exchange is one sided. (Source: Vnunet, 6 November) > ISPs are already capable of stopping DoS attacks in a similar fashion: it is called "egress filtering." It works thusly: * DoS zombies invariably spoof the source IP address. If they did not, they would be very easy to trace and shut down. * An ISPs boarder router can detect spoofed source IP addresses, because the router will see packets appearing on the "inside" interface with IP addresses that belong to the "outside." Most modern routers (pretty much all modern routers) are capable of being configured to drop such packets. * The main barrier to this defense is: * ISPs who cannot be bothered to police their own networks * hosts on non-ISP networks, i.e. college campuses I see very little advantage to the Cs3 scheme described above. The primary advantage (which they do not discuss) would be if configuration management was somehow easier in the Cs3 scheme. This is plausible, as the Cs3 machine need not be configured to know what the "inside" and "outside" address ranges should be. However, this is a pretty marginal advantage, because: * boarder routers need to know the "inside" and "outside" address ranges anyways * an ISP that cannot be bothered to police their own networks when it is easy is not very likely to buy a new product to police their own network Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:30:18 PDT