Slashdot Mirror
Pushback against DDOS Attacks
Huusker writes "Steven Bellovin and others at ATT Research Labs and ICIR have come up with mechanism to stop DDOS attacks. The idea is called Pushback. When the routers get flooded they consult a Unix daemon (/etc/pushbackd) to determine if they are being DDOS'ed. The routers propagate the quench packets back to the sources. The policy and propagation are separate, allowing hardware vendors to concentrate on the quench protocol while the white hats invent ever more clever DDOS detection filters for /etc/pushbackd. The authors of the paper have an initial implementation
on FreeBSD."
If pushback is subverted, couldnt it function like an inverse DOD tool?
DDoS is usually bandwitdh consumption...
Even if you drop 100% of the evil packets...
Your pipe is still filled...
And for the amount of traffic needed to actually DDoS a large-enough site like Yahoo (4 gbps last time around?), RegExs wouldn't be helpful
since, the sheer amount of cpu required to process *every*single*packet*that*passes*through* is wayy too much...
Not all DDoS attacks are bandwidth based, they could be application level and targeted at all sorts of other resources.
.. it would be nice if these actions could be initiated in other situations also.
Some examples:
SYN floods can exhaust incoming connection queues.
DNS floods (asking a recursive nameserver a million questions, or even asking an authoritative nameserver a million questions).
Too many HTTP requests to processor intensive dynamic content pages could deny service well before you are serving at your bw limit.
The paper kept referring to the aggregate detection algorithm only coming into effect when the bandwidth limit is being exceeded
Never the less, this is a promising initiative.
--Iain
that has to be one of the least constructive, head in the sand arguments I've ever read. Did you read the article ?
The technique is about making the internet move the point of dropping the flood packets, BACK closer to the source. That is, remove the flood from the internet itself, and contain it into the localised areas.
Instead of expecting the impossible as you suggest, (which is joe-average running a secure system), finally someone is thinking about securing the internet in general from unsecured systems, which is a pragmatic approach which may well protect the internet in general from many unforeseen DDOS attacks, as well as the ones we know about.
I believe most DDoS attacks have the following in common:
- DDoS zombies generally send packets with forged return addresses, as
doing so greatly complicates attempts both to block packets and to track
down individual zombies.
-
Machines used for DDoS attacks are almost always either corporate PCs
or home PCs connected by DSL/cable. These nodes are single-homed, and
as such packets emanating from them have only one initial route to the
internet.
My question is this - why can't corporate IT people or their counterparts at ISPs reprogram their front-line routers (those that directly connect to individual end-user PCs) to block packets with forged return addresses? Forged addresses typically are either totally illegal or indicate a totally different net or subnet from the actual sender.I can't see any reason why this wouldn't be a good idea - there really isn't any reason for the type of machines mentioned to ever act as true IP routers (as opposed to NATs), and it doesn't seem like this would be either hard or burdensome for the first-line routers to do.
Employing this would mean that DDoSers would be confined to forging return addresses within the zombies' own subnet, which would make both blocking and back-tracking much easier.
It's plain that this isn't done, so there must be a good reason why people much more network savvy than I haven't implemented it - what is it?
## W.Finlay McWalter ## http://www.mcwalter.org ##