Linked by Thom Holwerda on Thu 28th Mar 2013 00:36 UTC, submitted by MOS6510
Internet & Networking "The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week. At the time, it was a large attack, sending 85Gbps of traffic. Since then, the attack got much worse. Here are some of the technical details of what we've seen."
Thread beginning with comment 557018
To view parent comment, click here.
To read all comments associated with this story, please click here.
Soulbender
Member since:
2005-08-18

They apply egress filtering to make sure their customers don't sent out source IPs that are external to their network.


And that's the only thing you need to do in order to prevent spoofing from your clients. Very simple, very effective.


But it's very unlikely that they apply ingress filtering that discriminates IPs from various peer interfaces since that would break alot of internet traffic.


Not really. It's quite possible to filter without breaking the internet traffic but it does require some work. You will always know what prefixes your peers announce so you can set things up to only ever accept packets with an IP in those prefixes from a peer.

ISPs cannot do anything to detect spoofing outside of their network, which is part of the problem.


True but there's no scalable and feasible solution for this. Tracking this would create a massive overhead and for what? Just because some people can't do their jobs?

Once you read my other response, it should clarify that it is a DNS problem


No, it isn't. It's a problem combined of misconfigured DNS servers and ISP's not doing filtering on their customers. DNS itself is just doing what it was supposed to do. The advantage of UDP over TCP (or other connection-oriented protocols) is that it scales much, much better. The downside to this is that it does expect ISP's not being schmucks.

Reply Parent Score: 3

Alfman Member since:
2011-01-28

Soulbender,

"And that's the only thing you need to do in order to prevent spoofing from your clients. Very simple, very effective."

At the expense of features like multi-homing.


"Not really. It's quite possible to filter without breaking the internet traffic but it does require some work. You will always know what prefixes your peers announce so you can set things up to only ever accept packets with an IP in those prefixes from a peer."


Those announcements are meant to indicate the paths for routing destination IP's, not filtering source IPs. While there is nothing stopping you from filtering in this way, at the very least this will cause network disruptions while the network is propagating new optimal paths. But it could cause persistent problems for asymmetric scenarios. For example your organization has two peers: Hurricane Electric and Cogent. A foreign router determines Hurricane Electric's network is the best way to route an IP to you, but your router determines that Cogent is the best way to send the packet back. If you filter out this IP on Hurricane Electric's interface, then you loose legitimate traffic. You have no way to determine whether packets on either interface are spoofed or not.



"No, it isn't. It's a problem combined of misconfigured DNS servers and ISP's not doing filtering on their customers. DNS itself is just doing what it was supposed to do."

Yes, it's doing what it's programmed to do, so it's not a "bug" or misconfiguration. But it causes a problem in this case because the sender isn't verified. That IS a vulnerability as this incident clearly demonstrates. Any UDP protocol is vulnerable if it responds with lots of traffic without first performing a handshake, so in a way DNS is guilty, even though it works as designed.

Edited 2013-03-29 04:41 UTC

Reply Parent Score: 2

Soulbender Member since:
2005-08-18

At the expense of features like multi-homing.


No, not at all. Ingress and egress filtering does not prevent multi-homing.

Those announcements are meant to indicate the paths for routing destination IP's, not filtering source IPs.


Those are the sources that should only ever arrive from a certain peer. They indicate exactly what I need to know: what are the valid source IP addresses from a peer. For example, if I have been assigned 1.2.3.4/24 and I peer with HE, announcing 1.2.3.4/24, they should only every accept packets from me with a source in 1.2.3.4/24.

at the very least this will cause network disruptions while the network is propagating new optimal paths.


No.

For example your organization has two peers: Hurricane Electric and Cogent. A foreign router determines Hurricane Electric's network is the best way to route an IP to you, but your router determines that Cogent is the best way to send the packet back. If you filter out this IP on Hurricane Electric's interface, then you loose legitimate traffic. You have no way to determine whether packets on either interface are spoofed or not.


Why would I "filter out this IP"? Ingress and egress filtering works perfectly in this scenario (I know, I've done it many times). The packet coming in via HE, addressed to my network, is a valid ingress source and the packet going out via Cogent is from my network and is a valid egress source. Nothing is being filtered, spoofing is prevented.
Obviously I will not accept sources from either that is in my network nor will I accept destinations that is not my network. Neither provider should accept packets from me that is not from my network.

Edited 2013-03-29 04:56 UTC

Reply Parent Score: 2