North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: So.. you want to track some DoS traffic?

  • From: Richard A. Steenbergen
  • Date: Sun Jul 01 19:30:20 2001

On Sun, Jul 01, 2001 at 05:34:06PM -0400, Christopher L. Morrow wrote:
>
> A brief overview of the method would be: "Track the attack from the
> after effect of the attack, not the attack itself"

Hrm interesting combination of two different techniques...

Your border filter method is more commonly done with a community tag which
triggers the route-map setting nexthop to a null routed IP block. You can
even allow your customers to null route their own IP space within your
network without them having to get in touch with your security people.

The "backskatter" you are monitoring makes a nice hack for gathering
information from many routers which don't support this kind of intelligent
mass-management on their own. You could also setup a dedicated sniffing
machine or machines and alter the nexthop to route the original DoS their
way, if you want to find out details of the attack.

It would also be interesting, especially on a UU scale, to do statistical
sampling of backskatter generated by the victim instead of that generated
by your routers. I'd also be interested in seeing someone setup a global
realtime backskatter analysis just for a kind of "DoS weather report". Of
course you should probably mention the only global analysis of spoofed
attacks by the replies generated to their attacks I am aware of, at:
http://www.caida.org/outreach/papers/backscatter/index.xml

If you provided a customer community tag so your clued victims could do it
theirselves, you could automatically monitor the ICMP Unreachables and
already have a list of the ingress interfaces ready without any human
interaction, kindof like the Call Trace functionality for phones which
records the information for easy processing if charges are filed.

If enough other networks did this you could probably stand a half decent
chance of catching an attack that is shorter then the "few hours" normally
required to get interprovider cooperation. If you really wanted to get
nuts, this could fairly easily be packaged up into a program which runs on
a unix machine and automatically cooperates with other providers running
this service to trace spoofed attacks back to their source. Of course this
is all a nasty hack around the lack of a protocol for communicating
traceback and source-filtering information directly between routers, but I
suspect this method would be a lot easier to actually get written,
deployed, and used because of layer 8.

-- 
Richard A Steenbergen <ras@e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)