[54785] in North American Network Operators' Group
Re: Is there a line of defense against Distributed Reflective attacks?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu Jan 16 23:29:52 2003
Date: Fri, 17 Jan 2003 04:29:07 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Brad Laue <brad@brad-x.com>
Cc: "Christopher L. Morrow" <chris@UU.NET>, hc <haesu@towardex.com>,
<nanog@merit.edu>
In-Reply-To: <3E27847D.4090407@brad-x.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 16 Jan 2003, Brad Laue wrote:
> Christopher L. Morrow wrote:
> > On Thu, 16 Jan 2003, hc wrote:
> >
> >
> >>>
> >>>
> >>>Because syn cookies are available on routing gear??? Either way syn
> >>>cookies are not going to keep the device from sending a 'syn-ack' to the
> >>>'originating host'.
> >>>
> >>>
> >>
> >>True.. At least it will have some stop in the amount of attacks.
> >>
> >>It is quite unfortunate that it is impossible to control the 'ingress'
> >>point of attack flow. Whenever there is a DoS attack, the only way to
> >>drop it is to null route it (the method you have devised) over BGP
> >>peering, but that knocks the victim host off the 'net... :-(
> >>
> >
> >
> > Sure, but this like all other attacks of this sort can be tracked... and
> > so the pain is over /quickly/ provided you can track it quickly :) Also,
> > sometimes null routes are ok.
>
> How quickly is quickly? Often times as has been my recent experience
> (part of my motivation for posting this thread) the flood is over before
> one can get a human being on the phone.
Once the call arrives and the problem is deduced it can be tracked in a
matter of minutes, like 6-10 at the fastest...
>
> What kinds of mechanisms exist for keeping track of the origins of
> something of this nature?
>
Normally that's not very productive as they are mostly owned boxes that
will be rebuilt and reowned in days :(
