[27184] in North American Network Operators' Group
Re: NANOG meeting subject of attack? Hmmmm....
daemon@ATHENA.MIT.EDU (robert@UU.NET)
Wed Feb 9 22:42:59 2000
From: robert@UU.NET
Message-Id: <200002100335.WAA05043@beefcake2000.argfrp.us.uu.net>
To: Bino Gopal <bino@watsun.cc.columbia.edu>
Cc: nanog@merit.edu
In-Reply-To: Message from Bino Gopal <bino@watsun.cc.columbia.edu>
of "Wed, 09 Feb 2000 19:54:23 EST." <Pine.GSO.4.10.10002091954000.28923-100000@watsol.cc.columbia.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 09 Feb 2000 22:35:52 -0500
Errors-To: owner-nanog-outgoing@merit.edu
> As Charles says, from what I've read of the CERT advisories, there is
> nothing proactive one can really do for these DDos attacks, besides
> securing machines from being hacked, correct?
A site can use anti-spoofing filters on their router/firewall (even if the ISP
can't or won't do it on their end) to make sure that their machines don't
forge source addresses. This might stop any of their machines which have been
compromised from really doing participating in the attack. (I say "might"
because the slave daemons don't have to forge addresses.)
Other misc. ideas are in:
http://www.cert.org/reports/dsit_workshop.pdf
(BTW, a "advisory" version of unicast RPF-type stuff would be immensely
helpful in deploying URPF, "source validation," ingress filtering, or whatever
you want to call it.)
