Ask Security Guru Dave Dittrich About DDoS Attacks

Yes, this is the University of Washington Dave Dittrich behind the software the FBI is trying to get you to use to help find the people doing the massive DoS attacks that have made headlines all over the place. Learn more about Dave and check out the info about the current brou-hah-hah on his home page, then ask away. We'll send the 10 - 15 highest-moderated questions to Dave Friday evening, and post his answers as soon as he can get them to us in between answering questions from mainstream media types who, as you can imagine, are all over him right now.

Is a network proof against DDoS possible?

[Paul+Crowley]

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?
--

Stop Spoofing At The Backbone?

[Effugas]

How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation(their backup networks will ceae to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Answer: not viable

[Effugas]

A switch functions by only analyzing the raw ethernet (or mac) address.

Not necessarily, anymore. L3 Switching and even L4 Switching is quite hot nowadays. Matching bits and ANDing them--that's what switches do, and that's what IP Interface checking does. L3 and L4 switches essentially match more bits in their quest to do better and more accurate QoS. I'm not absolutely sure if Cisco's switches will do the IP range checking, but I wouldn't be surprised if they did it in hardware. Sig, it's a cheap operation.

> A router works at a higher level, and CAN do
> stateful analysis... but for speed you really
> shouldn't - that's what the firewall is for.
> Firewalling the backbones would be... umm..
> very bad.

For cryin' out loud, this has NOTHING to do with State. Either I'm sending out a packet on a bogus source, or I'm not. This contrasts *heavily* against "Firewall receives an ACK packet--is it spoofed, or is it a response to a pre-existing SYN? Better check the state..."

I'm not talking about firewalling the backbones, only the entry points. And what the hell do you think Yahoo screamed at their ISPs to do when lots of traffic was coming down the pipe that had nothing to do with the Web? "KILL EVERYTHING BUT PORT 80!"

That's not firewalling the backbones. That's managing the access points.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Should security research be done in obscurity?

[crush]

It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

Recognizing DoS

[angst_ridden_hipster]

I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this, and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30PM in Los Angeles to be a DoS attack.

To solve these problems, you have to know what's causing it. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home email and find out.

With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the web?

Other methods?

[Dr+Caleb]

Dave,

There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

Would changing to IPv6 help eliminate these type of attacks? From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Thanks.