OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [fw-wiz] Stefan Savage : Hacking the TCP stack
From: Steven M. Bellovin (smbresearch.att.com)
Date: Thu May 18 2000 - 18:46:29 CDT

In message <3922AA5C.984EA8A6mitre.org>, "Frederick N. Chase" writes:
>
>
>"R. DuFresne" wrote:
>>
>> Has anyone looked at the work described here:
>
>
>
>
>I've made a pass through the paper by
>Savage, Wetherall, Karlin and Anderson,
>which can be found at:
>http://www.cs.washington.edu/homes/savage/traceback.html.
>
>
>IMHO (which is not necessarily that of my employer),
>This is by far the most promising thing that's surfaced to date
>for addressing distributed denial-of-service.
>--It can be implemented without waiting for IPv6.
>--It can be phased in in a practical way.
>--It promises an effective solution to the first phase of traceback:
> finding the agent/daemon/zombies which are
> emitting the volumes of packets.
>
>The paper appears to be quite objective as to what can be expected.
>
>I think this should be given immediate thorough consideration
>by ISPs and router vendors.

First, IPv6 does nothing to address DDoS attacks. Second, there are a
number of limitations to Savage's scheme (and at least two similar
schemes that assorted folks are working on): they don't work with
fragments, they don't work if AH is used (they diddle a field that AH
protects), and they don't work with IPv6 (because there is no Id field
in IPv6).

For an alterative, see
http://www.research.att.com/~smb/papers/draft-bellovin-itrace-00.txt
(also in your favorite Internet drafts directory). There was a BoF on
it at the last IETF meeting; I expect that there will be a working
group by the next meeting. To join the mailing list, send a note to
majorodomoresearch.att.com with 'subscribe ietf-itrace' as the body.

                --Steve Bellovin