Egress Filters - Can They Solve The DDoS Problem?

← Back to Stories (view on slashdot.org)

Egress Filters - Can They Solve The DDoS Problem?

Posted by Cliff on Wednesday December 6, 2000 @09:31AM from the ping-o-death dept.

dhammabum asks: "Considering that egress filtering is the fundamental way to prevent distributed denial of service attacks (DDoS), could ARIN, APNIC, RIPE, and national NICs band together and force registered IP address holders to apply egress filters against their networks? It seems to me this is the only way to truly stop this problem (and reduce other crack methods), and NICs have the authority to actually enforce it -- no filter, no routing of your packets. I can't, though, think of an easy way to test it. What do you think, is this a practical measure? Or do packets, along with information, 'want to be free'?"

1 of 7 comments (clear)

Min score:

Reason:

Sort:

Re:Egress Filtering Doesn't Work by dougmc · 2000-12-06 06:01 · Score: 4

Egress filtering doesn't limit bandwidth. It makes sure that packets leaving your `network' have the appropriate source IP address. If they don't, they don't pass the filters. This should have *no* effect on any legitimate traffic (unless somebody has a misconfigured dual-home setup.)
And to answer the question, YES, they could solve a large part of the DDoS problems that the Internet has been seeing for years. People have been saying this for years -- and they're right!
It won't solve *all* of the DDoS attacks, but the ones that it doesn't stop outright will suddely become much easier to track down. Alas, this will only be true if *everybody* egress filters, and this won't happen overnight ...
There's a few reasons why it's not as popular as it should be -
1) people don't care. Egress filtering doesn't protect you from attack, it just helps keep your network from being used to attack others. It's a subtle difference, but important. We ran into the same problem when we tried to get people to fix their networks so they couldn't be used as smurf amplifiers.
2) when a network IS used to spoof packets, the packets are spoofed -- it's very difficult to find out where they came from in the first place, so you can't just email the originating network and tell them to do egress filtering. When you're under attack, you have no way of knowing who's network needs egress filtering.
3) it does use up router CPU. This sort of filtering, while cheap, is not free.
With some luck, the large backbones will be able to start doing egress filtering (or, for them it may be ingress filtering, depending on how it's configured) and do it, even if their customers won't. Time will tell.