Slashdot Mirror

← Back to Stories (view on slashdot.org)

Slashdot Asks: How Can We Prevent Packet-Flooding DDOS Attacks? (oceanpark.com)

Posted by EditorDavid on from the monkeys-vs-robots dept.

Just last month Brian Krebs wrote "What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale," warning that countless ISPs still weren't implementing the BCP38 security standard, which was released "more than a dozen years ago" to filter spoofed traffic. That's one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen: PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding... Rather than attempting to prevent attack packets, instead PEIP provides a way to rate-limit all packets based on their router path to a destination.
I've also heard people suggest "just unplug everything," but on Friday the Wall Street Journal's Christopher Mim suggested another point of leverage, tweeting "We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure." Is the best solution technical or legislative -- and does it involve hardware or software? Leave your best thoughts in the comments. How can we prevent packet-flooding DDOS attacks?

9 of 351 comments (clear)

  1. Set up correct secondary DNS servers by tlambert · · Score: 5, Interesting

    Set up correct secondary DNS servers.

    If the secondaries had not been hosted at the same company, but instead at various companies around the world, the attack would have had no effect on anything but traffic.

    This is, by the way, how multiply connected networks are supposed to work.

    This could be easily accomplished at no additional cost by having a peering-pool arrangement between all the host registrars, so that we ended up with a multiply connected redundant network.

    Kind of how we designed the thing to work in the 1960's and 1970's, and DNS itself in the 1980's.

    But a lot harder for law enforcement to issue DNS-based takedowns on, of course. Since it would route around the damage and keep functioning. As designed.

  2. Ineffective by DeathToBill · · Score: 5, Informative

    Technical measures that prevent address spoofing are quickly becoming obsolete anyway; AFAICT, the recent attacks on Krebbs and Dyn, the two biggest DDoS attacks ever, didn't use spoofed source addresses. A spoofed address is only useful in an amplification attack, where you send a small request which provokes a much larger response; then if you don't spoof the source address, you get a huge firehose of responses coming at you and it's you that gets DDoSed, not the target.

    In this case, the attackers didn't bother spoofing source addresses, because they didn't use an amplification attack; they just used a huge botnet all making ostensibly-valid requests and each device dealing with the response individually. It looks like the only way we have of preventing this sort of attack is to make the devices secure - easier said than done.

    --
    Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
    1. Re:Ineffective by Smidge204 · · Score: 5, Insightful

      I guess it depends on what qualifies as a "technical measure" then?

      From what I understand, a very large portion of the devices were compromised because they used default passwords that were never changed. I would consider having a device disabled/crippled out of the box until a new password was set to be a technical measure.
      =Smidge=

  3. How do we prevent flooding the phone system? by Anonymous Coward · · Score: 5, Insightful

    If a manufacturer made a device that connected to the public phone system, that could be compromised and made to call thousands of people at random, they'd soon find themselves facing product recalls, fines, import bans, and liability for the disruption caused.

    Why should IoT devices be any different?

    Some shitty noname Chinese remote webcam manufacturer hardcoded 'admin' as the password and tunnels through routers using uPnP to listen on the internet? Import ban that shit. Slap on a fine. Seize any of their American assets or property to pay it. They'll soon get the message that security can't be neglected. It's not hard to fix this stuff given the will.

  4. DoS by ledow · · Score: 5, Interesting

    As most of this traffic was "genuine", i.e. not spoofed, not faked, not bouncebacks, not violation of the protocol, etc. it's hard to do much about it. Even if you were running protocols where each packet had to be part of an authenticated stream, you would still have the same problem.

    The only technical solution I can think of is a protocol with which you can communicate with an upstream host and have them implement a filter of your choice to the traffic they send you before it comes down your line.

    Quite literally "please block anything from these IP's or traffic that matches this pattern".

    But I cannot imagine such a thing ever be implemented as it pushes the burden further and further upstream and the top-layer will be overwhelmed with traffic and their filters running hot all day long, especially if they have millions of customers all specifying complex rules.

    There's no way I can see to stop something like this, where millions of random devices starting genuine full connections and responding as any other client, without just rate-limiting (which rate-limits your other genuine clients) or engaging in the packet conversation as you normally would (which would be enough to cause a DoS in itself).

    Even if you can spot a pattern, it'll be changed in the next iteration, or dynamically and randomly generated in time. It's like spam-filtering at packet-speeds, and as stupendously unreliable.

    Previously, it was faking source IPs, which can be solved by ISPs being required to only allow their announced ranges. Now, with just millions of valid connections, a DoS is indistinguishable from a service just suddenly becoming incredibly popular with real users.

    Any method, protocol, or setup where they have to connect to you like that and you perform some kind of check or measure against their connection (even, say, setting up a TLS session) can be replicated by the botnet just as easily.

    There's no solution to what is effectively "junk mail" inside a TCP/UDP packet.

  5. Re:Make ISPs at the source responsible by ledow · · Score: 5, Informative

    They are.

    No source addresses were faked here.

    Just millions of "genuine", unfaked connections.

    That's the "new" part of this attack. It's not trying to pretend it's anything that it isn't. It's literally just millions of devices requested advertised services and responding to their responses in the correct manner.

    Imagine a DDoS of just asking for Wikipedia pages. It's hard to combat because you have no way to distinguish it from just a sudden surge of genuine traffic.

  6. Prevent the participants by Opportunist · · Score: 5, Insightful

    It's been said before here, so allow me to offer a "how" for the obvious and already mentioned "secure the damn crap people hook up to the net".

    This will only work with legislature. Sorry to all my libertarian friends here, but yes, there are times when the only way to sort out a problem is government intervention. These times are when you have to force people to do something for the "greater good" when they themselves would have a (smaller) profit from not giving a shit. And if there has ever been a good example, it's this. People don't give a shit about their IoT devices being insecure, because it does not affect them directly, but these insecure devices threaten the usability of the internet for all of us.

    This is one of the reasons organizations like the FCC were created. Remember that sticker? Few people notice it nowadays because, well, it's a given that devices don't create harmful interference and that they don't go bananas if they are subject to any, but this was anything but certain in the early days of electronics. And no, that sticker itself doesn't do jack, of course, but it is a promise that the manufacturer has to live up to or face a heavy fine and ban of his device.

    We need something like this for the IoT devices. "This device will not cause trouble on the internet and cannot be hijacked from there". Live up to it or see your device recalled. It pains me to ask for this, but it's time to create a government entity that deals with this. Or maybe hand it to the FCC so they start doing something useful again.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. You could start by... by dohzer · · Score: 5, Insightful

    You could start by not giving IP addresses to kettles and toasters.

  8. non centralized DNS by Lumpy · · Score: 5, Insightful

    I was 100% unaffrected by the DDOS attack on DNS because I run a cacheing DNS server that I set to break the rules of DNS. I cache DNS until I get an update.

    a DNS request is passed through to the main servers, if I get no response in 100ms I fall back to cached information. cached information does not expire for 30 days

    so unless some obscure site that changes it's IP constantly decides to hop IP's during the DDOS attack I have zero issues.

    --
    Do not look at laser with remaining good eye.