[54857] in North American Network Operators' Group
Re: Is there a line of defense against Distributed Reflective attacks?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sat Jan 18 23:19:57 2003
From: "Steven M. Bellovin" <smb@research.att.com>
To: nanog@merit.edu
Date: Sat, 18 Jan 2003 23:16:59 -0500
Errors-To: owner-nanog-outgoing@merit.edu
In message <Pine.GSO.4.44.0301182004040.16112-100000@clifden.donelan.com>, Sean
Donelan writes:
>
>On Sat, 18 Jan 2003, Steven M. Bellovin wrote:
>> theory, trace a single packet. But the real problem with either idea
>> is this: suppose that you know, unambiguously and unequivocally, that
>> 750 zombies are attacking you. What do you do with that information?
>
>The reality is its not 750 zombies, its generally one person controlling
>750 zombies attacking you.
Right -- and neither itrace nor hash-based tracing are going to solve
that:
>
> 3) Find and convict the true attacker
Hash-based trace might help on that, *if* there was recording of the
packets to the zombies. But doing that ubiquitously might -- would? --
turn the Internet into a surveillance state.
>
> 2) Track and stop DDOS quickly when it does happen
That's the point of pushback.
>So how do we
> 1) Make end-user systems less vulnerable to being compromised
That's my real goal...
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
