2 methods figth back (D)DoS
Results 1 to 8 of 8

Thread: 2 methods figth back (D)DoS

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    382

    Lightbulb 2 methods figth back (D)DoS

    Hereby a very interesting paper about future techniques to fight back DoS.
    The first proposal is very interesting since it will help ISP to detect in a real time manner from which access point (other ISP or customer) a DoS flow is coming from. It could help to configure ISP border Frw &/or identify the source.

    The second one is a bit more funny. Taxing some CPU to the client that connect you. I think that introduce a greater risk than it resolve. Imagine u connect a hacker site solliciting ur CPU doing some stuff or denying u... brrr

    Full article here

    In two papers presented at the IEEE Symposium on Security and Privacy here, the graduate students suggested simple modifications to network software that could defeat denial-of-service attacks and that could be implemented in the current protocol used by the Internet. In two papers presented at the IEEE Symposium on Security and Privacy here, the graduate students suggested simple modifications to network software that could defeat denial-of-service attacks and that could be implemented in the current protocol used by the Internet.
    [...]
    1-The proposal takes advantage of largely unused bits in the headers of network traffic--the digitized address information attached to each electronic message--to fingerprint data based on the route the information took through a network. A victim suffering from an onslaught of data could use the fingerprint, or path-identifier number, to decide whether the traffic from certain regions of the Internet should be blocked by its Internet service provider.

    "Even when the total attack traffic is 170 times the legitimate traffic, 60 percent of a server's capacity is still allocated to legitimate users," Yaar said after his presentation.

    [...]
    2-The second presentation, also by a graduate student at Carnegie Mellon, proposes that servers use "puzzles"--problems that take a certain amount of processing time to solve--as a means of taxing any computer that tries to communicate with the server. Such a technique, which has also been suggested as a way to defeat spammers who send unsolicited mass e-mail, would help defend against denial-of-service attacks that attempt to tie up a victim server's memory with hundreds or thousands of connections.

    [...]

    "Our mechanism enables each client to 'bid' for resources by tuning the difficulty of the puzzles it solves and to adapt its bidding strategy in response to apparent attacks," Wang stated in the paper that outlined his findings.
    [shadow] SHARING KNOWLEDGE[/shadow]

  2. #2
    The DoS attacks they are bassically talkin about is just Icmp, ping -f and a ping of death, i mean come on all you have to do is limit the amount of packets that can simultaniously be transmited to you.

  3. #3
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    DeltaForce:
    I don't think you read the paper carefully!

    The 1st method propose to tag any/all type of packet during transit in order to figure out the path of the packet into the network. That would be a huge advantage to fight back DoSers by identifying the source (e.g Zombie) or by updating in a real time manner ACL into ISP routers (The bottleneck is between ISP and customer not between ISPs!).

    The 2nd method, is wierd but may work with any type of server (web, ftp & so on) since its a CPU taxation.

    I don't understand why u limit that paper to old attacks that any1 can prevent from !!!
    [shadow] SHARING KNOWLEDGE[/shadow]

  4. #4
    Banned
    Join Date
    May 2003
    Posts
    42
    Some DoS attacks go way beyond just ping floods, and ping type attacks. Another good way to limit the ability to attack your network is to implement Ingress/Egress filtering on your router. What this does is varify the clients route and makes sure the packet being sent came from it's destination address as many DoS attacks use spoofed IP address's.

  5. #5
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    2pumpChump : r u talking about reverse-path routing or smth?
    Do u mean from the ISP side or customer side?

    With the assumption that the only element you've got, as an analysis basis, is the IP packet itself, how do know the path?
    [shadow] SHARING KNOWLEDGE[/shadow]

  6. #6
    Banned
    Join Date
    May 2003
    Posts
    42
    Networker: No I am talking about configuring your router to identify packets and *not* route a packet that did not come from your network. This will not directly stop a DoS attack, but if everyone implimented it DoS would not be as easy to accomplish by the attackers.

    http://lists.jammed.com/ISN/2003/02/0067.html

    Just some brief reading on the topic.

  7. #7
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Okay, I understand what u mean!

    in an utopic world every single private network would implement proper security rules (anti-spoofing, ...), but tell u what world is not an utopie!
    The well known solution u propose is not realistic since u can not oblige every connected networks to implement those security rules.

    The ones how can do smth in securing the net in a global an efficient manner r ISPs, with no doubt!
    The path-identifier proposal could be a solution to that issue. But it's just theory and it is not implemented since it"srely on router IP Stack enhancement.
    Routers upgrade'd be expensive, but the market of secured ISP is growing ...
    let's wait & see
    [shadow] SHARING KNOWLEDGE[/shadow]

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    The DoS attacks they are bassically talkin about is just Icmp, ping -f and a ping of death, i mean come on all you have to do is limit the amount of packets that can simultaniously be transmited to you.
    It takes processing power to drop packets too. This is why DOS/DDOS attacks are so hard to defend against. If it was as simple as "limiting the amount of packets" DOS attacks wouldn'
    t be a problem.
    OpenBSD - The proactively secure operating system.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •