Stopping spoofed packets can cut down DDoS attacks

Must we make major changes to the overall Internet structure to stop distributed denial-of-service (DDoS) attacks aimed at disrupting popular Web sites? Somewhat surprisingly, the answer is most likely no.

It has been reported that significant legal and technical hurdles prevent a quick, straightforward solution to DDoS attacks. It is often suggested that the anonymity offered by the Internet must be eliminated to prevent future attacks.

Nothing could be further from the truth. While there are no perfect solutions, and indeed there are some costs, there is at least one straightforward technical approach that can reduce the hazards associated with these attacks at minimal cost.

Like a postcard, each message on the Internet, known as a packet, contains the addresses of both the sender and recipient. Reports of recent DDoS attacks indicate that the sender's address, referred to as the originator, or source, address, has often been forged - a process known as IP spoofing. Forging an originator address serves to confuse the trail leading back to the computer that sent the packets.

In the real world, we have already found solutions to deal with different types of fraud, including forgery, by requiring intermediaries to vouch for their principal's authenticity. Stockbrokers are subject to such rules when trading securities on behalf of clients. Brokers are required to make good on trades, even if the customer fails to deliver the funds or securities involved. This rule ensures an orderly market and acts as a discipline on member firms.

Similarly, airlines are required to check passengers' passports and other documentation before international flights. If a passenger's papers are not in order when the passenger arrives at his destination, he must be returned to the point of origin at the airline's expense. It's not foolproof, such measures are reasonably effective.

Today's Internet structure can limit the use of forged originator addresses to confuse the trail and camouflage the systems being used to stage an attack. Requiring ISPs to check the origin addresses of packets entering their networks from customers is neither difficult nor unreasonable.

Accountability for Internet traffic doesn't require we make major technological or legal changes to our network infrastructure. It merely requires us to enforce some technological common sense.

The current Internet is composed of interconnections between ISPs. In concept, it is no different than the relationships between stockbrokers in the financial market. Each ISP generally resells portions of its network to smaller providers, or directly to customer networks.

While all the levels may make this seem complicated, it is always true that a service provider, at any level in the structure, knows what addresses are assigned to its customers.

It's not unreasonable to require that each packet entering from a customer network have an originator address within that customer's network to be accepted for carriage by the provider.

Packets purporting to originate within Microsoft, for example, should not be arriving from the University of California at Santa Barbara. This restriction is not technically hard to implement.

Furthermore, there is no legitimate reason why packets with incorrect originator addresses should ever exist on the Internet.

In my "Internet Security" contribution to The Computer Security Handbook, 3rd Edition (1995), I wrote that originator spoofing was possible and likely to occur in the future. I also noted that such attacks could be prevented with ease. Sad to say, it would appear that many ISPs have not heeded this advice.

Stopping spoofed packets does not eliminate the potential for DDoS attacks, but it makes it much harder to covertly stage such an attack.It makes it easier and faster for law enforcement and service providers to track and cut off the source of the attack.

Traceability and accountability are productive ways to deal with many hazards. If ISPs reject all packets with obviously fake originator addresses, the process of identifying the source of the attack is accelerated. The scale of the attacks would also be reduced.

Address validation restrictions don't affect the underlying degree of anonymity offered by the Internet, but they do provide a way to limit attacks and maintain an orderly network at minimal inconvenience for all parties.

Gezelter is a network security consultant and the Internet Security contributor to The Computer Security Handbook, 3rd Edition. Contact him here