[e2e] DDoS attack vs. Spoofing of Source Address

Joe Touch touch at ISI.EDU
Thu Jan 19 16:46:42 PST 2006



John Kristoff wrote:
> On Thu, Jan 19, 2006 at 12:23:27PM -0800, Joe Touch wrote:
> 
>>> Many DoS agents have had the ability to randomly fake the source
>>> address and of course they commonly come up with a "bogon".
>> Sure. That sounds more like a bug in their source address checking code,
>> IMO.
> 
> If I was to think as an attacker, why would I spend my effort writing
> perfect spoofing code when it is clearly not necessary for my attacks
> to be effective.

If you 'slip' and generate bogons, and because of that your attack is
more readily detected, you have been less effective.

> Likewise, if I'm one trying to mitigate the attacks,
> why would I focus on trying to stop spoofing?

That depends entirely on whether spoofing or the DOS attack itself are
easier to detect. Some DOS attacks are isomorphic to flash crowds; in
those cases, if there is no spoofing, the best you can do is shed load
gracefully anyway.

If the DOS attack is otherwise detectable as an attack per se, you shed
it preferentially.

The question is whether that detection is based on "this is spoofed" or
based on some other property of the traffic (i.e., too many users asking
for a particular file, too many SYNs that don't reply to SYN/ACKs, etc.)

Joe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060119/ab7db281/signature.bin


More information about the end2end-interest mailing list