[e2e] DDoS attack vs. Spoofing of Source Address

Thu Jan 19 09:43:23 PST 2006

John Kristoff wrote:
> On Wed, 18 Jan 2006 16:45:58 -0800
> Joe Touch <touch at ISI.EDU> wrote:
> 
>> These slides refer to bogon traffic - with source addresses that are
>> reserved (e.g. Martians) or unallocated.  Spoofing a bogon address
>> would not be useful (it can be trapped at any router); perhaps you
>> meant some other slides?
> 
> No I meant those.  Spoofing is spoofing, regardless if it's bogons.
> Besides, you just earlier claimed, correctly, that ingress filtering
> only works if every router can be trusted to participate, but they
> can't and we have proof that many not so insignificant networks are
> forwarding spoofed packets.  So bogon filtering can be just as useful
> to an attacker as an assigned and in-use spoofed address.  :-)

Bogon filtering is special; there are no routers for which bogons should
be forwarded at all. They can be trapped anywhere in the network as a
result.

However, spoofed traffic from A to B can be trapped only at routers that
should never forward traffic from A (i.e., the diverting source
'branch'). Once that traffic enters the A-B path, no router on the
remainder of that path can distinguish A from fake-A by address alone,
and so cannot drop the traffic.

The two cases are very different as a result.

Further, no attacker would intentionally spoof bogons; they can and
should be dropped already. Bogons reflect incorrect configuration,
typically accidental or erroneous, rather than deliberate. The
statistics of bogon traffic do not correlate to the statistics of spoofed.

> However, in my experience, the use of local /24 netblock spoofing is
> commonly used if packets are spoofed at all.
> 
> I guess I needed to stipulate that these were bogons and that those
> slides indicated that bogon spoofing was on the wane. 

The slides do not talk about spoofing. The talk about bogon traffic. The
slides cite another talk that asserts that DOS attacks come from bogon
addresses - but that's not the same thing as spoofing. Even that talk
does not explain why this traffic is considered an attack. It's entirely
possible that the traffic is accidental, and results in a DOS attack on
resources.

That is NOT the same as a spoofing attack.

> I couldn't
> think of any other publicly available resource that documented spoofing
> in general has declined, but in my experience and in talking with other
> operators, I believe in general it has.  I would venture to guess that
> the percentage in that slide is probably accurate not just for bogon
> spoofing statistics, but spoofing in general.  That is, less than
> 20% or even less than 15% of attacks these days are spoofing addresses.

It is not useful to extrapolate statistics here; guessing that they
would be useful in this case is as accurate as picking a number at
random. If someone has real statistics, that'd be useful, however.

> It may be more interesting that attackers don't bother spoofing more.
> The explanation is relatively simple though, they don't really need
> to.  DoS agents are a dime a dozen, literally.  It's a shame why they
> don't need to, but it highlights the diminishing marginal returns of
> fixing spoofing.

Spoofing is useful only where it is of benefit to masquerade as another
IP address; that's a tautology, though.

Joe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20060119/da2b1508/signature.bin