[54783] in North American Network Operators' Group
Re: Is there a line of defense against Distributed Reflective attacks?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu Jan 16 23:12:03 2003
Date: Fri, 17 Jan 2003 04:11:30 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: hc <haesu@towardex.com>
Cc: "Christopher L. Morrow" <chris@UU.NET>,
Brad Laue <brad@brad-x.com>, <nanog@merit.edu>
In-Reply-To: <3E278080.50001@towardex.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 16 Jan 2003, hc wrote:
> >
> >
> >
> >Because syn cookies are available on routing gear??? Either way syn
> >cookies are not going to keep the device from sending a 'syn-ack' to the
> >'originating host'.
> >
> >
> True.. At least it will have some stop in the amount of attacks.
>
> It is quite unfortunate that it is impossible to control the 'ingress'
> point of attack flow. Whenever there is a DoS attack, the only way to
> drop it is to null route it (the method you have devised) over BGP
> peering, but that knocks the victim host off the 'net... :-(
>
Sure, but this like all other attacks of this sort can be tracked... and
so the pain is over /quickly/ provided you can track it quickly :) Also,
sometimes null routes are ok.
