dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
11
share rss forum feed
« Remote Remove
This is a sub-selection from Open can of worms


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to jjoshua

Re: Open can of worms

said by jjoshua:

Node was possibly not the correct term. Perhaps the cable modem itself would be better.
cable modems are pretty stupid in that regard. to get any real intelligence -- you're going to need to have an ingress policy on the provider's kit.

said by jjoshua:

Would it be hard to drop all packets with forged source addresses? It's clearly not going to stop all ddos attacks but it's going to do more than a notification system that doesn't do anything.
the addresses may or may not be forged. thats the difficulty. in the earlier days, this may have been the case to give the providers a difficult time to mitigate the dos -- to make it look like it was coming from all over when it was really just a specific location/carrier/netblock/etc.
the leading "d" in "ddos" stands for distributed. the issue is that when you start creating policies as a provider that drop traffic from netblocks that are causing grief -- is that when you've got 10,000 different ip's in many different blocks, you start blackholing *all* traffic. obviously, the simple solution would seem to be to just block individual ip addresses, but this becomes cumbersome because they are (a) always fluctuating (b) access-lists on carrier gear have limits, especially if you expect any high-speed transmission. there are optimization techniques that can be used, but the box will take a *major* hit -- if not puke all over itself -- when you make it handle acl's that are 10k-20k lines long. it just won't work.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

said by tubbynet:

the issue is that when you start creating policies as a provider that drop traffic from netblocks that are causing grief -- is that when you've got 10,000 different ip's in many different blocks, you start blackholing *all* traffic.
I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

1 edit

said by jjoshua See Profile
I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination.

i do. hence this post above -- »Re: Open can of worms

cable modems are pretty stupid in that regard. to get any real intelligence -- you're going to need to have an ingress policy on the provider's kit.
its not easy to do.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


vpoko
Premium
join:2003-07-03
Boston, MA
reply to jjoshua

said by jjoshua:

I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination.
And which type of malicious traffic is that?


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

said by vpoko:

said by jjoshua:

I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination.
And which type of malicious traffic is that?
I was thinking about ICMP flood.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by jjoshua:

I was thinking about ICMP flood.
what about tcp syn flooding? crafted sql, rpc, etc. attacks? a botnet isn't just icmp flooding. that is one fraction of *all*botnet attacks that are out there.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


vpoko
Premium
join:2003-07-03
Boston, MA

said by tubbynet:

said by jjoshua:

I was thinking about ICMP flood.
what about tcp syn flooding? crafted sql, rpc, etc. attacks? a botnet isn't just icmp flooding. that is one fraction of *all*botnet attacks that are out there.
Not to mention, how do you decide what's a ping flood? Repeated pings become a DoS attack when the bandwidth of the target is less than the aggregate bandwidth of the source(s) of the attack. I've had occasion to need to run continuous pings on known endpoints (say, Google) while testing for intermittent connection issues. Even though I may have sent thousands of ICMP packets in a short time, it was not an attack.

Ping floods are generally only effective when they're distributed, and if they're distributed then you can't tell just by looking at a single source, whether its an attack.

jjoshua, I suggest you hit the books and learn about networking instead of trying to debate something you don't know much about.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by poko :

Ping floods are generally only effective when they're distributed, and if they're distributed then you can't tell just by looking at a single source, whether its an attack.
yes. this is true. however, ping attacks are generally considered "old school". they still occur, but there are much better icmp attacks that affect the route processor much more effectively. these attacks not only cause the processor utilization to spike, but will effectively break control-plane processing (a) limiting the access that a network operations center has to the device and (b) break the control plane of the router such that igp and bgp sessions could be broken and may have to wait in queue until the processor can process the neighbor adjacency packets again.

of course -- this whole argument has been network centric. different issues apply when dealing with end-host protection of servers and applications clusters.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
reply to tubbynet

Is it not the case that these packets all have forged source IPs?



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by jjoshua:

Is it not the case that these packets all have forged source IPs?
no. what would make them be forged?
thats the point of a *distributed* attack. the ips are not forged -- they are the actual source ip address of the computer being pwned (or the address of the nat'ing router). nothing about a botnet or ddos stipulates that the packets have a forged or spoofed source address. the sheer problem with a distributed attack is that there is no *clean* way to ensure all evil traffic is blocked while all good traffic is passed -- the sheer numbers of ip addresses and netblocks makes it impossible to do so. there are knobs that are provide by major manufacturers of network gear to minimize the collateral damage -- but nothing is perfect (as can be referenced by the major carrier mailing lists, such as nanog, c-nsp, and j-nsp).

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

I guess that even wikipedia is wrong: »en.wikipedia.org/wiki/Denial-of-···e_attack

If you're telling me that my ideas suck, then what do you propose?

Firewalls keep out intruders but what can we do to enhance them to detect when we are sending out malicious traffic?

Think big. Could firewalls all work with each other to identify similar malicious traffic and then filter the offenders?



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

1 edit

said by jjoshua:

I guess that even wikipedia is wrong: »en.wikipedia.org/wiki/Denial-of-···e_attack
its not wrong -- there are multiple variations of a ddos attack. sure -- the addresses can be spoofed, but there are a lot of knobs available that allow a provider to drop this weird traffic (i.e. inbound to your own autonomous system, sourced with your own netblock address; as_path lists not correlating; etc.). these knobs prevent a good share of this traffic on a properly configured edge ingress router.

If you're telling me that my ideas suck, then what do you propose?
they don't *suck*. they lack information on what is out there and what is being done to prevent ddos and botnets now. if cable modems become more intelligent -- your idea could work. however, there will always be the tinfoil hat crowd that wants all traffic unfiltered -- ignoring the fact that with personal freedom comes personal responsibility. it is the job of the provider/carrier to manage traffic in the best way possible to enhance the experience of all customers. i am for intelligent and transparent network management, whether that be placed on the customer or the carrier.

Firewalls keep out intruders but what can we do to enhance them to detect when we are sending out malicious traffic?
they can -- and many do. my personal web gateway device is a cisco 2821 isr. its running a sizeable chunk of ips/ids definitions that inspect traffic inbound and outbound. i've put similar appliances in customer networks (ips 4200-series from cisco) and have also done a smaller "ips card" for a cisco asa5500-series firewal in smaller customer sites. these devices update definitions and allow granular selection of exploits to be tracked and the actions taken on each definition. the issue is that these devices are (a) often complex to set up (b) require the customer to understand the exploits and what is needed or not (or pay a contractor to manage this device for them) and (c) balance the security requirements with the performance hit (only a worry in high-speed networks). additionally, this is not something that is always going to "drop in" to a customer network -- especially due to the cost and care needed in configuration. sure -- something like this could be dropped into a cable modem, but would you want to pay upwards of $800+ for your previously $50 motorola cable modem?

Could firewalls all work with each other to identify similar malicious traffic and then filter the offenders?
yes -- but then you have to establish policy and trust zones between customers, providers, and transit carriers. while many of the aforementioned entities have similar goals when it comes to internet acces -- the specifics on policy may not line up. additionally, if you have fractured trust zones, you open the door for traffic to slip through the cracks. it comes down to a "gentleman's" agreement that everyone does what they need or deem appropriate and if those policies are not followed, mitigation in the best way possible must be done. this is why it often takes time for the interwebs to calm down in a given sector after a some sort of ddos/botnet attack.

its not a clear cut problem to solve. this is why i applaud comcast in providing a transparent solution to an issue that affects us all in some way or another; they are trying to take a step in the right direction.

q.

[edit] having trouble typing today. apparently.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

This part of the discussion got a little bit off topic. However, I think that I was correct when I suggested that comcast COULD build a network where one user's lack of security wouldn't affect other users.

It might require additional technology and resources but it could be done. Thanks for helping me to make my point.



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by jjoshua:

This part of the discussion got a little bit off topic. However, I think that I was correct when I suggested that comcast COULD build a network where one user's lack of security wouldn't affect other users.
you seem to think that comcast operates in a vacuum. this is not the case. what you are suggesting would take a huge cooperative effort between a large number of carriers and providers. even then -- it would not be foolproof and there are many other issues that plague a carrier that would cause something like this to be an issue. in my mind -- you are making a huge deal over something comcast is trying to handle with this system. however, if every problem begins to look like a nail....

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."