Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 557016
To view parent comment, click here.
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

Soulbender,

"Source filtering makes sure that only packets with a valid source comes in on an interface. Valid source means it's an IP address that has a route via that interface. This is an incredibly simple yet effective way to reduce spoofing on customer-facing equipment and is, as I've said previously, already done by most ISP's."

They apply egress filtering to make sure their customers don't sent out source IPs that are external to their network.

They may apply ingress filtering such that the internet backbone cannot send them packets that look like they were sourced from within the ISP. But it's very unlikely that they apply ingress filtering that discriminates IPs from various peer interfaces since that would break alot of internet traffic. It's up to the source routers to route the traffic to the destination. The destination has no say which interface will receive traffic for a given IP.

ISPs cannot do anything to detect spoofing outside of their network, which is part of the problem.


"While DNS has problems this is not one of them. This is simply a problem of misconfigured DNS servers and the only effective way to stop this from happening is by not screwing up the configuration."

Once you read my other response, it should clarify that it is a DNS problem (or even a "UDP" problem if you want to view it like Laurence did).

Reply Parent Score: 2

Soulbender Member since:
2005-08-18

They apply egress filtering to make sure their customers don't sent out source IPs that are external to their network.


And that's the only thing you need to do in order to prevent spoofing from your clients. Very simple, very effective.


But it's very unlikely that they apply ingress filtering that discriminates IPs from various peer interfaces since that would break alot of internet traffic.


Not really. It's quite possible to filter without breaking the internet traffic but it does require some work. You will always know what prefixes your peers announce so you can set things up to only ever accept packets with an IP in those prefixes from a peer.

ISPs cannot do anything to detect spoofing outside of their network, which is part of the problem.


True but there's no scalable and feasible solution for this. Tracking this would create a massive overhead and for what? Just because some people can't do their jobs?

Once you read my other response, it should clarify that it is a DNS problem


No, it isn't. It's a problem combined of misconfigured DNS servers and ISP's not doing filtering on their customers. DNS itself is just doing what it was supposed to do. The advantage of UDP over TCP (or other connection-oriented protocols) is that it scales much, much better. The downside to this is that it does expect ISP's not being schmucks.

Reply Parent Score: 3

Alfman Member since:
2011-01-28

Soulbender,

"And that's the only thing you need to do in order to prevent spoofing from your clients. Very simple, very effective."

At the expense of features like multi-homing.


"Not really. It's quite possible to filter without breaking the internet traffic but it does require some work. You will always know what prefixes your peers announce so you can set things up to only ever accept packets with an IP in those prefixes from a peer."


Those announcements are meant to indicate the paths for routing destination IP's, not filtering source IPs. While there is nothing stopping you from filtering in this way, at the very least this will cause network disruptions while the network is propagating new optimal paths. But it could cause persistent problems for asymmetric scenarios. For example your organization has two peers: Hurricane Electric and Cogent. A foreign router determines Hurricane Electric's network is the best way to route an IP to you, but your router determines that Cogent is the best way to send the packet back. If you filter out this IP on Hurricane Electric's interface, then you loose legitimate traffic. You have no way to determine whether packets on either interface are spoofed or not.



"No, it isn't. It's a problem combined of misconfigured DNS servers and ISP's not doing filtering on their customers. DNS itself is just doing what it was supposed to do."

Yes, it's doing what it's programmed to do, so it's not a "bug" or misconfiguration. But it causes a problem in this case because the sender isn't verified. That IS a vulnerability as this incident clearly demonstrates. Any UDP protocol is vulnerable if it responds with lots of traffic without first performing a handshake, so in a way DNS is guilty, even though it works as designed.

Edited 2013-03-29 04:41 UTC

Reply Parent Score: 2