Eliot,
Some of the DoS attacks we saw last week were good, old-fashioned SYN
floods. Hosts do have a responsibility here, more than ISPs, since
it is quite feasible to tie up a host's pool of TCBs with a small
number of packets, even if the attack tool does not use spoofed
sourced addresses (or if the spoofed addresses are from a legitimate
pool allocated to a subscriber site).
The point I have tried to make, unsuccessfully, is not that
performing ingress filtering is bad, and thus should not be
performed. Rather, I am pointing out that it is a bad idea to rely
on such filtering as a primary means of defense. There are several
reasons for saying this:
- not all ISPs will find it feasible to provide such filtering
- not all ISPs are trusted to do the filtering (in the global Internet)
- a number of DDoS attacks can be launched without using
spoofed addresses outside of those "appropriate" to the subscriber
site
- some applications may legitimately make use of non-local
addresses, as others have suggested
I have seen a long history of suggested solutions to security
problems which are only partially effective against current forms of
attacks, vs. providing protection against a larger class of attacks.
I'm trying to suggest that we not follow this pattern.
Finally, there is a diminishing difference between what a script
kiddie can do, vs. a clever attacker, because the clever attackers
are freely distributing higher quality attack tools. "Empowerment"
is a hallmark of modern Internet attacks :-).
Steve
