About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Obtain a CVE Identifier
Search CVE
Search NVD
CVE In Use

CVE Adoption
CVE-Compatible Products
NVD for CVE Fix Information
More . . .
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE Community

Editorial Board
Mail List & Meetings Archive
Roles, Tasks, & Qualifications
Adding New Members
Sponsor

CVE In Use

CVE Compatible Products and Services
More . . .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PROPOSAL] DDOS - Distributed DoS (1 candidate)

To: cve-editorial-board-list@lists.mitre.org
Subject: Re: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
From: Pascal Meunier <pmeunier@purdue.edu>
Date: Tue, 15 Feb 2000 21:08:39 -0500
Delivery-Date: Tue Feb 15 21:05:48 2000
In-Reply-To: <200002152204.RAA16462@basie.mitre.org>
References: <200002152204.RAA16462@basie.mitre.org>
Sender: owner-cve-editorial-board-list@lists.mitre.org

>Candidate: CAN-2000-0138
REVIEWING - voter is reviewing/researching the candidate, or needs more info

I think that trinoo etc... are very similar to smurf attacks
(CVE-1999-0513 ) in the sense that a third party allows itself to be
used.  Also, there is an  obvious solution that can only be done by
that third party.

As for the CVE entry, I am considering whether the common entry point
could be reduced to "egress filtering has not been implemented or has
been disabled, allowing the sending of spoofed IP packets".
Incidentally, this would prevent the use of decoys in port scans,
etc...  This single CVE entry would be very powerful. We could use
the dot notation to list the DDoS tools and attacks that rely on the
absence of egress filtering based on the argument that if you have
egress filtering, nobody will bother to put or use DDoS tools on your
computers.

The weakness of this is that one could in theory still use DDoS tools
even if you have egress filtering -- only they will be one shot guns,
almost completely eliminating their appeal and effectiveness.  One
use, and they will be blocked, tracked down and destroyed
efficiently.

Pascal

P.S.: I am attracted by the idea of starting an internet (fire)wall
of shame, for people who haven't implemented egress filtering.  It
worked pretty well against sites allowing themselves to be used for
smurf attacks (http://www.powertech.no/smurf/).  Why not use the same
strategy for egress filtering?  Of course it's hard to know who is
the source of IP spoofed  packets.  However the consistent detection
of crud originating from a server is a sure sign that they haven't
implemented egress filtering.  For example (my first candidate to
this wall of shame), this weekend the Linux suse ftp server sent many
packets with an illegal ip address as source, one reserved for local
area networks, upon making an ftp connection (it may still be doing
it, I haven't checked since -- the suse ftp admin mentioned that they
were aware of it).  It was easy to figure out it was them by
repeating the ftp connections and observing the 100% reproducibility
and time correlation of the extraneous packets.  In addition, the
suse servers kept sending me crud for *hours* after a failed attempt
to download their PPC beta.

The cost of egress filtering is easily justified.  The argument is
similar to those relating to pollution, excepted that people don't
try to break into your car if you have removed the catalytic
converter.

References:
- [PROPOSAL] DDOS - Distributed DoS (1 candidate)
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: [TECH] New Voting Support Enhancements for Board Members
Next by Date: Re: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
Prev by thread: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
Next by thread: RE: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007