Pushback against DDOS Attacks 159
Huusker writes "Steven Bellovin and others at ATT Research Labs and ICIR have come up with mechanism to stop DDOS attacks. The idea is called Pushback. When the routers get flooded they consult a Unix daemon (/etc/pushbackd) to determine if they are being DDOS'ed. The routers propagate the quench packets back to the sources. The policy and propagation are separate, allowing hardware vendors to concentrate on the quench protocol while the white hats invent ever more clever DDOS detection filters for /etc/pushbackd. The authors of the paper have an initial implementation
on FreeBSD."
My take (Score:5, Interesting)
(Gotta love the Slashdot effect getting named explicitly, eh? Nice to be part of the problem for a change... hehe.)
Seems to me the tricky part here is defining the aggregates. After reading the article, it isn't *really* a way to save your site from going down due to overload, more a way to prevent others sharing your pipe/routers from going down with you.
Which is a good goal in itself. It seems like a real tough thing to determine which of the millions of hits to www.yahoo.com (for ex.) are valid users, and which are DDoS bots. So both get restricted (net result: bots win), but the guy in the cage next to yahoo stays up.
Re:Problem? (Score:3, Interesting)
Can this be right? (Score:4, Interesting)
Back down to earth, it's mega-wicked when good ideas are developed in FreeBSD (or Linux). Developments like these come the closest to the original intents and purposes of open sourced OSes.
Re:Question.... (Score:2, Interesting)
I wonder what impact the pushback overhead will have when a server gets slashdotted, though. What if the pushback message gets dropped due to swamped routers?
Re:My take (Score:5, Interesting)
I have to agree. They leave a lot of issues for further study. One big problem seems to be that gigabit backbone routers don't really have time to do any of this stuff. It's not much use if the back plate packet rate drops to one quarter because of having to detect and deal with flow aggregates.
Re:another idea... (Score:3, Interesting)
On every edge router you simply need to put an access-list to drop all packets not coming from your netblocks.
Edge routers going to customers you drop incoming packets not coming from your customer assigned IP. Amost EVERY edge device supports this, most support dynamic filters with RADIUS resquests. If you only allow your customers to send you data from their IP address it is impossible for them to be part of a spoofed attack.
Pushback simply moves the problem (Score:3, Interesting)
Um, this isn't new. (Score:5, Interesting)
1. All the various vendors would have to implement it.
2. False positives. A new form of DoS would be to generate enough spoofed traffic to trigger this sort of thing -aimed at someone else-. Imagine your outrage when your l33t IRC buddies spoof your IP address block whilst attacking www.slashdot.com - no more imbecilic, outdated "Gee, whiz!" types of posts for you to read.
3. Oftentimes, rate-limiting via CAR, traffic shaping, or other methods consumes more CPU cycles on the routers than simply blocking the offending traffic (assuming this is possible, which depends upon the attack methodology).
The best way to combat DoS attacks generally is use strong platforms which process ACLs and other features in hardware (ensuring that your config allows those features to be processed in hardware; logging ACLs like a 'deny ip any any log' just won't cut it, these days), ensure you have the ability to 'draw off the poison' by sinkholing traffic headed for the destination by advertising a null route for it on a sinkhole router (this isn't always possible, it depends upon the target of the attck; you may not want to sinkhole all requests to your Web server, for example), ensure you have as good a traffic sniffing/IDS-type capability as possible, make use of Netflow tools like CAIDA cflowd/OSU flow-tools/Flowscan/Panoptiis/FLAVIO/Arbor Networks' Peakflow DoS, and know how to get in touch with the folks at your ISP(s) who can help with identifying the (even spoofed, via Netflow tracing) sources and blocking the offending traffic upstream of you.
If you're a commercial site, strongly consider a distributed Web site, hosted at different locations and using some sort of Global Server Load Balancing technology (GSLB; Cisco's Distributed Director and 4480 are two examples of this) to send people to different sites depending up their location, network topology-wise.
Re:not all DDoS attacks.. (Score:2, Interesting)
Re:This is worse (Score:4, Interesting)
You are correct when you say it shifts the site where the packets are dropped. However, you miss the whole point. The site's router determines a pattern common to an attack, and tells the routers upstream the pattern. Those routers tell their upstream routers the pattern, etc. Alone, the site's router might be overloaded. The routers two levels upstream might all be just about overloaded, but still able to let through all non-attacking traffic. If these routers all begin throttling, the site's router will no longer be overloaded. All nonattacking packets will be let through unhindered. All attacking packets will be throttled severely. If the attack picks up and the second-level-upstream routers can't handle it, they will pushback to the third-level-upstream routers, etc.
At least, that's how I understood it.
Heh heh (Score:2, Interesting)
try this (Score:2, Interesting)
Re:finally... a cure for Slashdotting... (Score:4, Interesting)
Re:Couldnt pushback be a Dos tool in itslf? (Score:3, Interesting)
No because it means stop sending. To the network this stops the flood of packets.
Yes but if the system can be fooled into quenching legitimate requests then service has still been denied. I mean, to a user, does it matter if you can't get to the server because it's overloaded, or you can't get to the server because the routers are telling your machine to stop sending? Either way, all you know is that the blasted server is down.
Re:hey (Score:1, Interesting)
This sounds like the Tim Allen sort of way to do it. "Why don't we just throw it against the wall and save you the trouble?"
Food for thought.