Egress Filters - Can They Solve The DDoS Problem?

dhammabum asks: "Considering that egress filtering is the fundamental way to prevent distributed denial of service attacks (DDoS), could ARIN, APNIC, RIPE, and national NICs band together and force registered IP address holders to apply egress filters against their networks? It seems to me this is the only way to truly stop this problem (and reduce other crack methods), and NICs have the authority to actually enforce it -- no filter, no routing of your packets. I can't, though, think of an easy way to test it. What do you think, is this a practical measure? Or do packets, along with information, 'want to be free'?"

Re:Egress Filtering Doesn't Work

[dougmc]

Egress filtering doesn't limit bandwidth. It makes sure that packets leaving your `network' have the appropriate source IP address. If they don't, they don't pass the filters. This should have *no* effect on any legitimate traffic (unless somebody has a misconfigured dual-home setup.)

And to answer the question, YES, they could solve a large part of the DDoS problems that the Internet has been seeing for years. People have been saying this for years -- and they're right!

It won't solve *all* of the DDoS attacks, but the ones that it doesn't stop outright will suddely become much easier to track down. Alas, this will only be true if *everybody* egress filters, and this won't happen overnight ...

There's a few reasons why it's not as popular as it should be -

1) people don't care. Egress filtering doesn't protect you from attack, it just helps keep your network from being used to attack others. It's a subtle difference, but important. We ran into the same problem when we tried to get people to fix their networks so they couldn't be used as smurf amplifiers.

2) when a network IS used to spoof packets, the packets are spoofed -- it's very difficult to find out where they came from in the first place, so you can't just email the originating network and tell them to do egress filtering. When you're under attack, you have no way of knowing who's network needs egress filtering.

3) it does use up router CPU. This sort of filtering, while cheap, is not free.

With some luck, the large backbones will be able to start doing egress filtering (or, for them it may be ingress filtering, depending on how it's configured) and do it, even if their customers won't. Time will tell.

Many things could solve the problem, but WILL any?

[bluGill]

Sure, filtering could solve the problem. So could changing attitudes so that nobody does DDoS attacks. As could... As could changing IP so that the mac of all recived from hosts are appended to the headers. As could...

There are many solutions. Odds are however that nobody will impliment any. The problem is people who want to attack others. (For whatever reason generally silly ones that don't stand up to logic though)

Tracing Attack

[SEWilco]

Egress filtering should be done, both to block outgoing attacks and to protect others from mistakes within your network. ISPs have more difficulty doing it, but every private/corporate net should be doing it.

However, there also has been a proposal to deal with tracing a DOS. I can't find the reference at the moment, but it involves having routers randomly place routing tags in unused header fields -- partial info is inserted, but with a DOS attack there are so many repetitions that the routing data can be rebuilt at the destination.

Re:Tracing Attack

[frankie]

there also has been a proposal to deal with tracing a DOS.

I remember that too. I think it was probably this article. Also, ingress filtering was discussed (on the main page) not long ago.

The main problem with the "added tags" proposal is the same problem with egress filters -- it only works if the majority of ISPs are willing to spend money and time updating their routers. Given that egress filtering would flat out stop spoofed DDoS attacks, while tagging would only identify them, the proposal did not generate much interest.