More Info on the October 2002 DNS Attacks

MondoMor writes "One of the guys who invented DNS, Paul Mockapetris, has written an article at ZDnet about the October '02 DNS attacks. Quoting the article: "Unlike most DDoS attacks, which fade away gradually, the October strike on the root servers stopped abruptly after about an hour, probably to make it harder for law enforcement to trace." Interesting stuff."

Responsibility of the ISP

[deepchasm]

The typical defense is to program routers to throw away excessive ping packets, which is called rate limiting. While this protects the server, the attack streams can still create traffic jams up to the point where they are discarded.

Well then, isn't it logical to try and rate limit/filter as close to the source as possible then? Of course this shifts responsibility...

If all ISPs were proactive in dealing with customers machines being used as zombies to launch attacks, then internet users as a whole would have less problems trying to deal with being the target of an attack.

A few logical steps:

• Filter out spoofed packets - the ISP has allocated the IPs to broadband users for goodness sake, it's much easier to filter packets when you know who's sent them than on the internet at large!
• Rate limit - no, not everything, don't go annoying the hell out of legitimate users. Something that will cut in when 100 PING packets per second go to a single host would be quite sufficient.
• Monitor for signs of trojan infection and REACT! I couldn't believe the amount of traffic I got in my web logs when Code Red was going around. How hard is it for the ISP to e-mail or ring up their customer and tell them that they're infected?

Some ISPs may do this, I don't know, but from the articles I read about DDoS attacks it appears that most don't.

Re:Solution?

[Mattsson]

What one *should* do is to configure backbone routers to not allow more than a cerain amount of ping per second...
Noone has a legitimate need for streaming several hundereds or thousands pings per second...
Or at least put a lid on it when someone starts sending lots of pings for more than a couple of seconds...

Re:Dalnet DDOS Attacks

It's virtually impossible to trace it back to the originator. First off, they are using slave machines, machines belonging to common people not aware their WinBlows system got infected with a trojan, just because they haven't paid attention to the latest security hole.

M$ is just as much a part of the problem as well. With more and more cable, DSL and other "always on" connectivity available, more and more of these machines are vulnerable.

Scanners out there can easily identify and infect 1000 home user's machines, and these attacks come from them. The actual perpetrator is long gone. All they do is momentarily log in and "fire it off", then they immediately log out, and they are gone.

Tracing IPs back to the attacker is just going to identify the innocent machines or owners who are totally unaware of their activity until they either power down their machines or somehow discover it.

Re:Solution?

[pla]

Or at least put a lid on it when someone starts sending lots of pings for more than a couple of seconds...

Doing so would require remembering who pinged, and when, for the last few seconds. Under normal conditions, that sounds trivial, but pings don't cause any problems under "normal" conditions. In a DDoS, you might have a million machines all pinging. How do you propose to store, look up, and update the last ping time for 100 million pings per second? A quick off-the-cuff calculation shows that *just the storage* for 10 seconds of such recording would take around 8Gb (32b IP and 32b timestamp). That doesn't include the CPU time to find matches (not that bad, since you can use the IP as an array index, but you can almost guarantee a continually invalid CPU cache) or update the list. And, that assumes you *always* dedicate that 8Gb to each server running on the machine, since otherwise the search you propose requires adding new pings to a dynamic list, making the lookup time become very very non-trivial.

More importantly, even if you *do* manage such a feat (or even get rid of ping altogether), attackers can still use other services (like, for example, DNS lookups, which I'd like to see a DNS server try to stop supporting).

Actually, it surprises me that no DDoS clients use SSH yet... Although not every machine (ie, Windows) runs an attackable server, a well-planned attack could suck up significant bandwidth, memory, *and* CPU power, all in one tidy packet.

Egress Filtering

[sczimme]

Implementation of simple egress filtering rules at border routers or at firewalls (regardless of who owns them) would dramatically decrease the efficacy of DDoS attacks.

If my organization owns the A.B.C network, there is no reason why any packets bearing a source address of anything other than A.B.C.* should be permitted to leave my network.

NAT environments can implement this by dropping packets with source addresses that do not belong to the internal network.

Of course, for this to be effective it would have be used on a broad scale, i.e. around the world...