A Nonce to Mitigate DDoS Attacs

Cloudflare, hosting many customers, has handled many DDoS attacks. Sometime ago, there was DNS amplification attacks, now there is an NTP amplification DDoS attack. It so happens, there are two essential conditions for such an amplification attacks to happen:

  • A large reply in response to a very small request – this allows the attacker to have a small set of hosts with only so much bandwidth to trigger a very large attack on the target.
  • Source IP address spoofing. This allows an attacker to send requests from packets, apparently from the target, there by effectively re-directing all the responses to the target.

One of the fixes suggested to guard against IP address spoofing attacks is a nonce, briefly described here. If I understand it correctly, it necessitates a client to resend a nonce (a random value) sent to it as part of the reply so that further replies can be sent. If the nonce is not received (when the receiver is not interested in the reply), further replies are not sent. This will at least, mitigate the amplification effect, if not the total DDoS attack altogether.

Going forward, for protocol designers, there is a lesson to be learnt: make sure your reply for a response does not motivate a DDoS attack.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s