LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

TCP vulnerability: cancel red alert

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 13:16 UTC (Thu) by pflugstad (subscriber, #224)
In reply to: TCP vulnerability: cancel red alert by jbh
Parent article: TCP vulnerability: cancel red alert

- Make ISPs implement ingress filtering to kill off spoofed source addresses. This is good against all DoS attacks, and I really don't understand why there's not more pressure to do so. Pressure == refusal to peer with ISPs without filtering.

This doesn't work except at the very edge of the network. And it creates problems with multi-homed networks where traffic could be going out one connection and back in another. It can't be used on the core of anyones network at all, which is where this type of attack would be most effective. NANOG has had extensive discussions on this subject in the last few months - see their mailing lists. NANOG has also been discussing this problem for the last few days.

Also, with the large number of Zombie systems out there, spoofing IP addresses is not needed for DDoS attacks.

(Log in to post comments)

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 18:28 UTC (Thu) by jbh (subscriber, #494) [Link]

All true. Anti-spoof-filtering must be done at the edge. Very few ISPs currently do this, because there is no pressure for them to do so. There is no advantage in doing it. But if everybody did, everybody would be better off. Prisoner's dilemma. Needs "outside" pressure to get to best solution.

Regarding DoS though, while a DoS doesn't require spoofed source addresses, it does make it much much harder to stop.

ingress filtering to stop source address spoofing

Posted Apr 23, 2004 21:28 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

This doesn't work except at the very edge of the network.

Doing it at the edge would probably be sufficient.

In fact, I thought it already was already done there. Can an AOL or Earthlink or Road Runner home Internet user send packets with arbitrary source IP addresses into the Internet? Have we had Internet hacks recently using spoofed IP source addresses?

It doesn't have to be the very edge, does it? Just beyond the point where the Internet becomes a tree. I assume most of the Internet nodes are in that outer region.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds