[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: resistance to swamping attacks.
Bill Sommerfeld wrote:
> Here's a more specific goal:
> If a system has a normal communications bandwidth of X, and recieves
> an incoming storm from forged source addresses with a bandwidth of Y
> (less than X), it should be able to continue to use at least half of
> the remaining bandwith (X-Y) constructively to communicate with
> arbitrary legitimate peers, including peers which had never before
> communicated with it.
One issue here is probably that if a real packet storm occurs, the links to
the attacked host become saturated, and no communication whatsoever can
occur. Or at least: The bandwith for legitimate users sinks drastically
towards 0. No protocol can fix this, if the routers do not help you.
Assuming that only the end system is saturated, and the link would be able
to carry more data, then perhaps two goals should be formulated:
a) An endsystem which is flooded by a storm of connection establishment
requests should try to distinguish 'real' connection requests (well, you
could build a list of 'preferred hosts', e.g. hosts you had an conenction
(or SA) lately, and handle these with a preferred ratio. If this is not
possible or practial, at least all requests should have the same chance
to succeed. And no, this would not be a very nice persepctive. (X-Y)/2
would not work here, as you do not a priori know who is legitimate, and
who not.
b) Existing connections (or SAs) should be given priority of use for CPU
power and available bandwith. They should not suffer at all from somebody
trying to establish (or forge the establishment) of a new connection. [Is
this wise?]
Another problem with the (X-Y)/2 approach might be that you do not *know* if
any link upstream is not fully saturated by the attacker, denying you all
your bandwith. Focussing on available end-system bandwith (CPU power, memory
consumption) might be a good thing here.
Comments anyone?
Germano
References: