[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PROPOSAL] DDOS - Distributed DoS (1 candidate)

>Candidate: CAN-2000-0138
REVIEWING - voter is reviewing/researching the candidate, or needs more info

I think that trinoo etc... are very similar to smurf attacks
(CVE-1999-0513 ) in the sense that a third party allows itself to be
used.  Also, there is an  obvious solution that can only be done by
that third party.

As for the CVE entry, I am considering whether the common entry point
could be reduced to "egress filtering has not been implemented or has
been disabled, allowing the sending of spoofed IP packets".
Incidentally, this would prevent the use of decoys in port scans,
etc...  This single CVE entry would be very powerful. We could use
the dot notation to list the DDoS tools and attacks that rely on the
absence of egress filtering based on the argument that if you have
egress filtering, nobody will bother to put or use DDoS tools on your

The weakness of this is that one could in theory still use DDoS tools
even if you have egress filtering -- only they will be one shot guns,
almost completely eliminating their appeal and effectiveness.  One
use, and they will be blocked, tracked down and destroyed


P.S.: I am attracted by the idea of starting an internet (fire)wall
of shame, for people who haven't implemented egress filtering.  It
worked pretty well against sites allowing themselves to be used for
smurf attacks (http://www.powertech.no/smurf/).  Why not use the same
strategy for egress filtering?  Of course it's hard to know who is
the source of IP spoofed  packets.  However the consistent detection
of crud originating from a server is a sure sign that they haven't
implemented egress filtering.  For example (my first candidate to
this wall of shame), this weekend the Linux suse ftp server sent many
packets with an illegal ip address as source, one reserved for local
area networks, upon making an ftp connection (it may still be doing
it, I haven't checked since -- the suse ftp admin mentioned that they
were aware of it).  It was easy to figure out it was them by
repeating the ftp connections and observing the 100% reproducibility
and time correlation of the extraneous packets.  In addition, the
suse servers kept sending me crud for *hours* after a failed attempt
to download their PPC beta.

The cost of egress filtering is easily justified.  The argument is
similar to those relating to pollution, excepted that people don't
try to break into your car if you have removed the catalytic

Page Last Updated or Reviewed: May 22, 2007