undefined | Better HN

0 pointsghshephard9y ago0 comments

Aren't there botnets that use their actual source address when spamming a DDOS target? How do you defend against that type of attack?

0 comments

6 comments · 2 top-level

Jweb_Guru9y ago· 4 in thread

If a bot is using its actual source address, you can block its IP at the edge (and even ask the ISP to investigate). Thanks to IP spoofing, that's totally ineffective, so instead the only way to make the attack stop is to null route the host.

shaunol9y ago

How does IP spoofing even work outside of those DNS reflection attacks mentioned on Krebs' blog? [1]

> "many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods."

I constantly see references relating to DDoS attacks about how IP spoofing is such an obvious trick to use but I've never seen any way to actually do it. Why wouldn't every device on the internet spoof their IP?

[1] https://web.archive.org/web/20160922021000/http://krebsonsec...

Jweb_Guru9y ago

> Why wouldn't every device on the internet just spoof their IP if it was this obvious thing?

https://spoofer.caida.org/summary.php - compromise a device in one of the ASes not marked "unspoofable." Those ASes do not consistently perform packet ingress filtering.

That's not to say that DDOS attacks stop being possible, but at least they become traceable.

2 more replies

ghshephardOP9y ago

What do you do when you have 10, 20, 50 million bots using their actual source address? Do you just block all 50 million devices? If so, then that would be a great way to initiate denial of service on those devices.

kijin9y ago

Actually, that would be a good way to take all those insecure devices off the internet, or at least prompt someone to do something about it (even if temporarily, like hitting the "factory reset" button) before reconnecting them.

Most countries don't allow cars on the road that are unsafe due to lack of maintenance. Perhaps it's time to do something similar for internet-enabled devices that cause serious harm to others. Hold the user, manufacturer, or network operator responsible for harm caused by their lack of maintenance.

jethro_tell9y ago

Yes there are. but using your source address means that you are confined by the upload bandwidth of your hosts, instead of some mis configured DNS server with a 1000Mbps up in a datacenter. You'd just have to work a lot harder to get the bandwidth.

to add to that, You'll defiantly get some mis configured servers with 1000Mbps uploads. And those will be really easy to pick out of the lineup. And then you'd probably be able to call the DC and say that they should block that IP at their boarder and they would probably also comply because there's a good chance that customer that was doing 110Mbps and won't want to pay for 1000.

As it is now, because the source is spoofed, you can't really take the source offline, only take the destination down to keep the other hosts in close proximity running.

With a TCP connection you can pick the source and drop the handshake, basically never start the connection. Some of the windowing can be used to make a tcp connection less of an issue as well.

j / k navigate · click thread line to collapse