[54846] in North American Network Operators' Group
Re: FW: Re: Is there a line of defense against Distributed Reflective
daemon@ATHENA.MIT.EDU (Avleen Vig)
Sat Jan 18 16:58:48 2003
Date: Sat, 18 Jan 2003 13:58:14 -0800 (PST)
From: Avleen Vig <lists-nanog@silverwraith.com>
To: "Christopher L. Morrow" <chris@UU.NET>
Cc: Daniel Senie <dts@senie.com>,
"nanog@trapdoor.merit.edu" <nanog@trapdoor.merit.edu>
In-Reply-To: <Pine.GSO.4.33.0301182022310.19744-100000@rampart.argfrp.us.uu.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 18 Jan 2003, Christopher L. Morrow wrote:
> > Eliminating spoofed addresses from the backbone, even if it were possible
> > to do 100%, would not eliminate denial of service attacks. The DDoS attacks
>
> This was precisely the point of Mr. Gill from AOL at the aforementioned
> NANOG meeting, I believe his quote goes something like: "The ip address
> used for the attack is orthogonal to the problem..." To me this makes
> perfect sense... People really do get stuck on the red herring of
> 'stopping all spoofing'. That isn't the problem, as you say below here its
> trivial to use owned hosts by the thousands to attack with unspoofed
> addresses... Rob Thomas has some good data on attacks against IRC
> servers and other hosts on the internet, his data last I recall was
> something like 80% of attacks use spoofed addresses, though more and more
> his tracked attacks are showing from non-spoofed hosts. He can certainly
> jump in and correct me though :) I can speak authoritatively from the
> network I work on's perspective on this issue, more and more we have seen
> non-spoofed attacks. There are still plenty of spoofed attacks, but
> frankly we prefer that as its MUCH easier to track and stop.
you could partly get around this by blocking all 'SYN' packets going to
your customers :-)
Unless/until the kiddies start using UDP... messy.
