SAVE us from DDoS

By on 23 Sep 2014

Categories: Community Tech matters

Tags: , ,

2 Comments

Blog home

In a previous blog post I discussed BCP 38 and the routing manifesto, and so I was interested to hear Paul Vixie discussing the topic at APNIC 38 last week.  Paul has taken up the charge and is promoting Source Address Validation Everywhere (SAVE) as an approach to mitigating the bad traffic problem.

The irony of having identified DDoS risks in 2002 as the biggest threat to the Internet at the time hasn’t escaped Paul: the problem has only got worse since then.

One of the big problems Paul faces in encouraging SAVE is the cost an ISP has to invest in reconfiguring things in their own system to stop being the source of bad packets… when the benefit of the investment is enjoyed by everyone else.  When the only beneficiaries are not your own customers, and it saves you no direct costs (but incurs them), and even incurs costs your competitors may not, that’s a tough sell.

While the industry has focused on the DNS side of the problem, the “root cause” is actually the spoofing.  So while many organizations have deployed response-rate limiting (RRL) to mitigate against DDoS attacks, the real problem remains.

Paul cited a 1997 article by David Isenberg on “The Rise of the Stupid Network” which pointed out we really just want a dumb network in the middle.  None of the configuration, state, virtual circuits reside IN THE MIDDLE: we want this stuff at the edge.  And he’s right (David didn’t invent this, but he called it out very well).

So if the core is stupid, how do we make the edge less stupid? Because the Spoofed Source problem, which lies behind DDoS, is a symptom of a dumb edge.

Paul explored the costs of doing Quality Assurance (QA) on devices in the emerging IoT and found that the marginal cost of removing security bugs is probably higher than the cost/benefit for the manufacturer in things like smart light bulbs.  Things get even scarier if you dig down into the TCP protocol, and see that anyone who is listening in the TCP protocol space can be made to send a stream of at least three, and possibly up to 20 SYN-ACK packets. That’s a 20x reflector in a 3-minute period that may seem like a small thing but if you scale up to light bulbs, then things get pretty bad, pretty quickly.

The only economically scalable way out is to fix the problem of spoofed sources. Changes to TCP not being plausible, and with ICMP and UDP all having risks, the one thing we have traction on is the SAVE path.

But how to achieve wide acceptance, and inspire some action?  Paul’s view is the primary economic argument here would be to equalize the obligation. If the complaint with your finance people is the externalized benefits for the incurred cost, then everyone in the same economic region has to be pushed to incur the cost. That means talking to regulators, to get the obligation defined and the pain equally shared.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

2 Comments

  1. Nick

    i am here emailing you today because i would like to report a DDoS attack on my network from your servers as you can see from the router logs below that these are your servers please help me because i am under a constant attack by these ip’s

    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.91.172.255], Monday, Oct 06,2014 16:03:18
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.91.172.255], Monday, Oct 06,2014 15:48:22
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.91.172.255], Monday, Oct 06,2014 15:34:29
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.91.172.255], Monday, Oct 06,2014 15:19:30
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.91.172.255], Monday, Oct 06,2014 15:04:31
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.91.172.255], Monday, Oct 06,2014 14:49:32
    [DoS attack: Smurf] attack packets in last 20 sec from ip [37.99.220.255], Monday, Oct 06,2014 14:48:50
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.91.172.255], Monday, Oct 06,2014 14:34:31
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.91.172.255], Monday, Oct 06,2014 14:19:30
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.91.172.255], Monday, Oct 06,2014 14:04:31

    Reply
  2. Tony Smith

    Hi Nick,
    Thanks for the comment. APNIC is not the source of the DDoS attack you may be experiencing. You can use our Whois service on the APNIC homepage – http://www.apnic.net – to find out the name and contacts of the service providers using the IP address ranges listed in your comment. We’ll also have our helpdesk team get in touch with you directly with more information.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Top