We’ve previously discussed the recent massive DDoS attacks that were directed at the Spamhaus spam monitoring service, and which used open DNS resolvers to amplify their available bandwidth. We issued a call for ISPs, hosting companies, and others in the industry to do all they can to reduce the number of open recursive DNS resolvers on the Internet, but there are additional steps that can be taken to severely restrict the potential means of attack available.
DNS amplification DDoS attacks work by prompting open DNS servers to direct large amounts of data at a domain that isn’t the same as the originating domain of the request. To do this, packets are crafted so that the originating IP is spoofed. Responses are sent to the spoofed target address, and so, with a script and a relatively small amount of bandwidth, attackers can direct overpowering floods of data at their target.
Cutting attackers off by removing the open DNS servers is the optimal solution, but preventing packets with spoofed IPs ever from entering target networks will also help mitigate attacks.
Ingress filtering is a network filtering method by which gateways intermediate to the attacker and the target drop and log packets that appear to be from an IP that the originating network isn’t supposed to be sending from. Attackers will either have to use a valid IP from within the network, making it easier to filter and localize attacks, or they will not be able to send packets.
There already exist best practice guidelines for implementing ingress filtering. Over a decade ago, the Network Working Group of the Internet Engineering Task Force published BCP 38, which was specifically formulated to help prevent denial of service attacks. BCP 38 is also currently defined as RFC 2827.
Upstream bandwidth providers are perfectly placed to implement BCP 38. Even though BCP 38 is the current best practice for ingress filtering, implementation has been less widespread than is necessary for it to have a decisive effect on DDoS attacks. Times have changed considerably since the protocols and practices that the Internet was built on were first formulated. It’s no longer possible to rely on the goodwill of the Internet at large; instead, efforts should be made by Internet Service Providers and hosting companies to tighten their network access protections.
The media should be concentrating on the cool things we build on top of the Internet, rather than hyping up the potential for disaster that is being created by lax controls. The bad guys aren’t going to go away, so now is the time to limit the impact they can have.