[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PROPOSAL] DDOS - Distributed DoS (1 candidate)
>Candidate: CAN-2000-0138 REVIEWING - voter is reviewing/researching the candidate, or needs more info I think that trinoo etc... are very similar to smurf attacks (CVE-1999-0513 ) in the sense that a third party allows itself to be used. Also, there is an obvious solution that can only be done by that third party. As for the CVE entry, I am considering whether the common entry point could be reduced to "egress filtering has not been implemented or has been disabled, allowing the sending of spoofed IP packets". Incidentally, this would prevent the use of decoys in port scans, etc... This single CVE entry would be very powerful. We could use the dot notation to list the DDoS tools and attacks that rely on the absence of egress filtering based on the argument that if you have egress filtering, nobody will bother to put or use DDoS tools on your computers. The weakness of this is that one could in theory still use DDoS tools even if you have egress filtering -- only they will be one shot guns, almost completely eliminating their appeal and effectiveness. One use, and they will be blocked, tracked down and destroyed efficiently. Pascal P.S.: I am attracted by the idea of starting an internet (fire)wall of shame, for people who haven't implemented egress filtering. It worked pretty well against sites allowing themselves to be used for smurf attacks (http://www.powertech.no/smurf/). Why not use the same strategy for egress filtering? Of course it's hard to know who is the source of IP spoofed packets. However the consistent detection of crud originating from a server is a sure sign that they haven't implemented egress filtering. For example (my first candidate to this wall of shame), this weekend the Linux suse ftp server sent many packets with an illegal ip address as source, one reserved for local area networks, upon making an ftp connection (it may still be doing it, I haven't checked since -- the suse ftp admin mentioned that they were aware of it). It was easy to figure out it was them by repeating the ftp connections and observing the 100% reproducibility and time correlation of the extraneous packets. In addition, the suse servers kept sending me crud for *hours* after a failed attempt to download their PPC beta. The cost of egress filtering is easily justified. The argument is similar to those relating to pollution, excepted that people don't try to break into your car if you have removed the catalytic converter.