Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 556943
To view parent comment, click here.
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

Laurence,

"We're talking about the same check. What I was describing was the process behind 'plain old source-interface checking'."

It doesn't seem like source interface filtering is a great solution to me because on the internet there's technically no requirement that packets come in from the same interface they'll return out of. In multi-homed setups this can even be explicit. Load balancers might do the same thing. But even in other less exotic cases internet routers can switch paths dynamically as they rerun the shortest path algorithms, I don't know just how frequently this happens, but it's the reason UDP packets can arrive out of order.

So do you agree that source interface filtering could negatively affect legitimate users?

It's a DNS problem, so I feel that a DNS fix should be used instead of modifying our routers. It's much easier to update dns software than a router. My understanding is that many commercial routers achieve their performance in hardware and become underpowered if too many packets get tossed around into the software stack.

Edited 2013-03-28 14:43 UTC

Reply Parent Score: 3

Laurence Member since:
2007-03-26

t doesn't seem like source interface filtering is a great solution to me because on the internet there's technically no requirement that packets come in from the same interface they'll return out of. In multi-homed setups this can even be explicit. Load balancers might do the same thing. But even in other less exotic cases internet routers can switch paths dynamically as they rerun the shortest path algorithms, I don't know just how frequently this happens, but it's the reason UDP packets can arrive out of order.

For core switches, you'd be right. But from what I've read, that method could work for routers on the edge of networks. But that's just what I've read, you might well be right ;)


So do you agree that source interface filtering could negatively affect legitimate users?

My guess is it would either work well or not at all. I'm by no means a networking expert though so I'll have to take the lead from someone else.


It's a DNS problem, so I feel that a DNS fix should be used instead of modifying our routers. It's much easier to update dns software than a router. My understanding is that many commercial routers achieve their performance in hardware and become underpowered if too many packets get tossed around into the software stack.

I'd argue it's more a problem with the UDP datagram than DNS specifically. DNS just exposes that weakness of UDP. So if we just fix DNS then I'm sure someone will find another UDP service that can be exploited in the same way (possibly games servers?)

Edited 2013-03-28 16:35 UTC

Reply Parent Score: 2

Alfman Member since:
2011-01-28

Laurence,

"I'd argue it's more a problem with the UDP datagram than DNS specifically. DNS just exposes that weakness of UDP. So if we just fix DNS then I'm sure someone will find another UDP service that can be exploited in the same way (possibly games servers?)"

I guess you could put it that way. It's true that UDP does nothing to confirm the sender IP, but to fix it at this level would mean converting UDP to a stateful protocol with a bidirectional handshake.

Between all the IP protocols already invented, we probably already have something that would work, but it does little good until these actually saw widespread support.


http://en.wikipedia.org/wiki/Reliable_User_Datagram_Protocol

http://en.wikipedia.org/wiki/Stream_Control_Transmission_Protocol

So, the easiest fix in this case is probably just running DNS over TCP.

Edited 2013-03-28 17:56 UTC

Reply Parent Score: 2

Soulbender Member since:
2005-08-18

It doesn't seem like source interface filtering is a great solution to me because on the internet there's technically no requirement that packets come in from the same interface they'll return out of


Source filtering makes sure that only packets with a valid source comes in on an interface. Valid source means it's an IP address that has a route via that interface. This is an incredibly simple yet effective way to reduce spoofing on customer-facing equipment and is, as I've said previously, already done by most ISP's.

It's a DNS problem, so I feel that a DNS fix should be used instead of modifying our routers.


While DNS has problems this is not one of them. This is simply a problem of misconfigured DNS servers and the only effective way to stop this from happening is by not screwing up the configuration.

My understanding is that many commercial routers achieve their performance in hardware and become underpowered if too many packets get tossed around into the software stack.


Thankfully not everyone uses underpowered Cisco gear ;)

Reply Parent Score: 2

Alfman Member since:
2011-01-28

Soulbender,

"Source filtering makes sure that only packets with a valid source comes in on an interface. Valid source means it's an IP address that has a route via that interface. This is an incredibly simple yet effective way to reduce spoofing on customer-facing equipment and is, as I've said previously, already done by most ISP's."

They apply egress filtering to make sure their customers don't sent out source IPs that are external to their network.

They may apply ingress filtering such that the internet backbone cannot send them packets that look like they were sourced from within the ISP. But it's very unlikely that they apply ingress filtering that discriminates IPs from various peer interfaces since that would break alot of internet traffic. It's up to the source routers to route the traffic to the destination. The destination has no say which interface will receive traffic for a given IP.

ISPs cannot do anything to detect spoofing outside of their network, which is part of the problem.


"While DNS has problems this is not one of them. This is simply a problem of misconfigured DNS servers and the only effective way to stop this from happening is by not screwing up the configuration."

Once you read my other response, it should clarify that it is a DNS problem (or even a "UDP" problem if you want to view it like Laurence did).

Reply Parent Score: 2