Analyzing the backscatter traffic from attacks is actually a very well-known technique among firewall admins and other security practitioners.
lcamtuf's wtfs project, for instance, has successfully used this kind of distributed monitoring to discover many interesting probes, including Hotmail's stealthy reverse tracerouting, strange behaviour from f5 load balancers, as well as many actual attacks and scans, by monitoring unused/16s and random hosts across the net.
Any solution to a widely distributed denial-of-service attack also needs to be distributed across the network. Almost any device at the edge of the network can tell you when it's being flooded, but traceback and remediation requires upstream cooperation.
Our approach is to detect attacks from various points in the network, correlate and trace them back to points closest to the source, and then take corrective measures there -- not downstream at the victim, which is indeed only an exercise in futility.
Perhaps the best analogy is to having stop lights at on-ramps to prevent highway congestion -- distributed detection at the edges, and filtering at the ingress points closest to the source.
To answer two concerns regarding the abuse of our system for denial-of-service itself, either as single points of failure, or as potential zombies:
As a non-intrusive passive monitoring solution (ie. not a bump-in-the-wire) that leverages the existing network infrastructure for the gathering of coarse-grained network statistics, there isn't much to attack, either directly or indirectly. Additionally, most networks tend to be overprovisioned at the core (largely where our monitoring is targeted), such that DDoS attacks typically don't have effect on the infrastructure itself until much further downstream.
In terms of our base platform, we're running a custom, embedded version of OpenBSD on read-only media (several of us are OpenBSD developers as well). We have taken great pains to audit and protect our system both from direct and indirect attack (e.g. against the detection mechanisms), leveraging years of experience in building, exploiting, and fixing network intrusion detection systems, firewalls, and various network protocols in our own design and implementation.
Any solution to a widely distributed denial-of-service attack also needs to be distributed across the network. Almost any device at the edge of the network can tell you when it's being flooded, but traceback and remediation requires upstream cooperation.
Our approach is to detect attacks from various points in the network, correlate and trace them back to points closest to the source, and then take corrective measures there -- not downstream at the victim, which is indeed only an exercise in futility.
Perhaps the best analogy is to having stop lights at on-ramps to prevent highway congestion -- distributed detection at the edges, and filtering at the ingress points closest to the source.
Slashdot Mirror
Analyzing the backscatter traffic from attacks is actually a very well-known technique among firewall admins and other security practitioners.
lcamtuf's wtfs project, for instance, has successfully used this kind of distributed monitoring to discover many interesting probes, including Hotmail's stealthy reverse tracerouting, strange behaviour from f5 load balancers, as well as many actual attacks and scans, by monitoring unused /16s and random hosts across the net.
Our approach is to detect attacks from various points in the network, correlate and trace them back to points closest to the source, and then take corrective measures there -- not downstream at the victim, which is indeed only an exercise in futility.
Perhaps the best analogy is to having stop lights at on-ramps to prevent highway congestion -- distributed detection at the edges, and filtering at the ingress points closest to the source.
Our approach is to detect attacks from various points in the network, correlate and trace them back to points closest to the source, and then take corrective measures there -- not downstream at the victim, which is indeed only an exercise in futility.
Perhaps the best analogy is to having stop lights at on-ramps to prevent highway congestion -- distributed detection at the edges, and filtering at the ingress points closest to the source.
man 9 style
see the Rio / Vista work by Pete Chen, Dave Lowell, et al. which won best paper at SOSP several years ago...