On Flooding Attacks and its Mitigation

BCP38 talks about flooding attacks and some simple ways of mitigating them. First it explains, how an attacker can target victims:

  1. by inundating a server with so many syn requests
  2. by spoofing the address of a legitimate host thereby causing the host to be black listed
  3. by inundating more than one host with syn-ack packets by spoofing IP addresses.

1 and 3 are somewhat related. The BCP (Best Current Practices) says that if routers have a very simple rule at their end to:

  • Allow traffic originating from its known prefixes (i.e. SA of all the traffic is from known prefixes), then forward as usual
  • Drop all the remaining traffic

then most of the source IP spoofing attacks can be mitigated. The DDoS attack of type 1 (mentioned above) can still happen, but since the source IP address cannot be spoofed or can be spoofed only to a limited extent (in the allowed range of prefixes), it will be easier to track down the source of attack. This “ingress traffic filtering” is best implemented at the edge routers of Internet.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s