Pushback against DDOS Attacks 159
Huusker writes "Steven Bellovin and others at ATT Research Labs and ICIR have come up with mechanism to stop DDOS attacks. The idea is called Pushback. When the routers get flooded they consult a Unix daemon (/etc/pushbackd) to determine if they are being DDOS'ed. The routers propagate the quench packets back to the sources. The policy and propagation are separate, allowing hardware vendors to concentrate on the quench protocol while the white hats invent ever more clever DDOS detection filters for /etc/pushbackd. The authors of the paper have an initial implementation
on FreeBSD."
Problem? (Score:2, Insightful)
Couldnt pushback be a Dos tool in itslf? (Score:5, Insightful)
sure (Score:1, Insightful)
Of course its not, it would do much more harm to many more innocent people.
The right solution is to educate people so that their PC's doesnt get inffected with worms and the like so they dont unknowingly contribute to DDOS.
Of course, the right is almost always the hard way and most people doesnt want to care about ignorant people so... we're in a vicious cycle here, just as in anything else.
Re:Manual RegEx? (Score:5, Insightful)
Even if you drop 100% of the evil packets...
Your pipe is still filled...
And for the amount of traffic needed to actually DDoS a large-enough site like Yahoo (4 gbps last time around?), RegExs wouldn't be helpful
since, the sheer amount of cpu required to process *every*single*packet*that*passes*through* is wayy too much...
Re:sure (Score:4, Insightful)
These people think that when they install virus scan software [slashdot.org] they are safe. I recently re-installed Windows on my gf's computer. She had V-Shield on there from 1999. She had no idea that she would need to update it.
At least my roommate, my parents, and my gf know (from me) not to open attachments. But educate a WIDE group of people? That's just not going to happen and you know it.
not all DDoS attacks.. (Score:5, Insightful)
Some examples:
SYN floods can exhaust incoming connection queues.
DNS floods (asking a recursive nameserver a million questions, or even asking an authoritative nameserver a million questions).
Too many HTTP requests to processor intensive dynamic content pages could deny service well before you are serving at your bw limit.
The paper kept referring to the aggregate detection algorithm only coming into effect when the bandwidth limit is being exceeded
Never the less, this is a promising initiative.
--Iain
Re:sure (Score:5, Insightful)
The technique is about making the internet move the point of dropping the flood packets, BACK closer to the source. That is, remove the flood from the internet itself, and contain it into the localised areas.
Instead of expecting the impossible as you suggest, (which is joe-average running a secure system), finally someone is thinking about securing the internet in general from unsecured systems, which is a pragmatic approach which may well protect the internet in general from many unforeseen DDOS attacks, as well as the ones we know about.
Question.... (Score:3, Insightful)
Re:sure (Score:4, Insightful)
It involves sending a short message back to the routers that are routing the packets to you asking them to "quench" - i.e. filter out and don't route - the offending upstream sources.
The message could propagate as far back as the individual ISPs from which the packets are originating from so that each participant in the attack is cut off.
At least that's what I'm getting from the summary of the story, I could be completely wrong.
This is worse (Score:4, Insightful)
How does this really help a DOS attack? The idea behind a DOS attack is to flood a server with so many packets that the server can't keep up and ends up dropping most of the packets. This paper does not provide a solution to this problem. It simply shifts where the packets are being dropped... at a router upstream instead of at the server or router at the edge of the network. The only advantage here is that other servers hanging off the router that aren't being DOSed will be unaffected.
The suggested solution also opens up a potential security hole. If you gained access to a server, it might be possible to send a packet to routers upstream and tell them to throttle bandwidth. This could be a much more effecient way of doing a DOS attack. Now instead of multiple machines on fast connections, all you really need to DOS your favorite website is a 268 and a 300 baud modem.
I have a simpler solution (Score:1, Insightful)
Give ISPs an incentive to detect forged packets, portscanning, and other common signs of compromised machines at the source. Get rid of zombies at the source. Then there wouldn't be the raw material for DDoS.
In short keep machines from swinging their fists, rather than try to make the recipients more resistant to being hurt.
Re:This is worse (Score:3, Insightful)
There is no clear way to differentiate some forms of DDoS attacks from legitimate traffic or a traffic spike
The pushback idea provides a generic method for notifying/instructing upstream carriers to drop a certain aggregate traffic flow and notify the destination of what affect that limiting is having so they can determine when to resume normal operation.
In the mean time though, you have prevented a DDoS that may be targeted at a single machine from affecting the entire network.
--Iain
blocking packets with forged return addresses (Score:5, Insightful)
I believe most DDoS attacks have the following in common:
I can't see any reason why this wouldn't be a good idea - there really isn't any reason for the type of machines mentioned to ever act as true IP routers (as opposed to NATs), and it doesn't seem like this would be either hard or burdensome for the first-line routers to do.
Employing this would mean that DDoSers would be confined to forging return addresses within the zombies' own subnet, which would make both blocking and back-tracking much easier.
It's plain that this isn't done, so there must be a good reason why people much more network savvy than I haven't implemented it - what is it?
You're talking about DoS attacks (Score:2, Insightful)
DDoS attacks are brute force by nature, designed to take down sections of the network by saturating the links.
Re:sure (Score:3, Insightful)
What happens when i spoof that you just DoSed your favorite website? You get cut off from it, and denied service.
Although as far as taking advantage of this sort of thing goes, I'd much rather be able to use an ICMP Redirect to make a DoSnet packet its owner.
A perfect tool for doing DDoS.... (Score:2, Insightful)
Re:This is worse (Score:2, Insightful)
Besides it is much harder to break into a well protected machine, than to break into a couple of thousand nearly unprotected ones.
Re:sure (Score:2, Insightful)
Re:blocking packets with forged return addresses (Score:5, Insightful)
I think the argument that is made for not doing this at a lot of ISPs is that with most Cisco routers its expensive as a lot of their routers can't fast switch with ACLs applied, they process switch, turning an adequate router into an inadequate packet-dropper.
It can also be a PITA to maintain -- if you put it at the very edge, like on an ISPs peering router with their upstream, it doesn't prevent in-block spoofing (eg, spoofing packets within the ISPs block). If you try to beat that on all the aggregation routers, you have a lot of ACLs to maintain; customer churn could put address blocks all over the place.
I'd argue that ISPs should make it a term of service that *their* customers ACL their edge routers; we-catch-spoofing-we-cut-you-off language.
Re:Old Idea (Score:4, Insightful)
Also, a BGP-only solution would only let you drop traffic, so it's not very useful for flash crowds, where the traffic is legitimate but excessive. It's also not useful where the port / prefix etc can't precisely identify only DDoS traffic - rate limiting allows some good traffic to get through while also limiting the DDoS. Blackholing != limiting (did you read the paper at all?)
I agree that this can be prototyped using existing technology (see my post elsewhere), but if this approach proves useful, a dedicated protocol would be helpful - though this could perhaps be piggybacked onto BGP using additional attributes to carry the filter and rate limit information.
Flaws in this proposal (Score:3, Insightful)
An effective solution has to identify the source nodes causing the trouble and block them, not the target. This is hard, but not impossible. The big problem is doing it for fake source IP addresses.
It may be necessary to view routing the way we now have to view mail forwarding - open relays get blocked. If a router isn't sure of the IP addresses of its input, it shouldn't be forwarding those packets. Routers that continue to do so may find themselves blocked.
Re:sure (Score:3, Insightful)
The only thing to slow this down is checking routes, but even that can be gotten around (they just have to be on your network, thats not hard for colo's, shells, and most other providers)
Ugh (Score:2, Insightful)
I've always been a proponent of big dumb pipes and inteligent end nodes. I probably always will be. The overhead associated with supporting intelligent intermediate nodes is simply too high.
Richard
Re:Couldnt pushback be a Dos tool in itslf? (Score:3, Insightful)