[54824] in North American Network Operators' Group
Re: Is there a line of defense against Distributed Reflective attacks?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Fri Jan 17 13:59:27 2003
Date: Fri, 17 Jan 2003 18:58:47 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: "David G. Andersen" <dga@lcs.mit.edu>
Cc: "Christopher L. Morrow" <chris@UU.NET>,
John Kristoff <jtk@aharp.is-net.depaul.edu>, <nanog@merit.edu>
In-Reply-To: <20030117184434.GA70101@lcs.mit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 17 Jan 2003, David G. Andersen wrote:
>
> On Fri, Jan 17, 2003 at 06:38:08PM +0000, Christopher L. Morrow mooed:
> >
> > > has something called Source Path Isolation Engine (SPIE). There
> >
> > This would be cool to see a design/whitepaper for.. Kelly?
>
> The long version of the SPIE paper is at:
>
> http://nms.lcs.mit.edu/~snoeren/papers/spie-ton.html
>
> The two second summary that I'll probably botch: SPIE keeps a (very tiny)
> hash of each packet that the router sees. If you get an attack packet,
> you can hand it to the router and ask "From where did this come?"
> And then do so to the next router, and so on. The beauty of the scheme
> is that you can use it to trace single-packet DoS or security attacks
> as well as flooding attacks. The downside is that it's hardware.
This sounds like Steve Bellovin's thing called 'icmp traceback' where you
make up a new icmp type message and send that query through the system,
hop by hop... though I say that after only reading your blurb, not the
paper :)
As I recall the icmp thing (that might NOT have been all steve, I just
heard him present it once) was a problem from a memory and processing
perspective, not to mention 'no router does this today' so its a 3 year
off feature addition... nevermind the protocol additions :)
