The Distributed DoS Attack

• Victim network(s) become unresponsive, routers fail, normal diagnostic tools useless
  • Identification of all agents difficult
  • Most sites not prepared to analyze packets (e.g. w/tcpdump)
  • May look like hardware failure on the network backbone
  • Must coordinate with upstream providers immediately (upstream networks may/may not be saturated also)
  • Upstream providers in better position to gather forensic evidence (but may also be under pressure to restore service first)
• Attack may/may not be noticed on agent networks (e.g., single subnet saturated, but backbone "normal")
• Only takes several hundred systems (especially if Internet 2 sites) to knock a large network off the Internet
• Multiple attacking systems at multiple sites means a long time to neutralize network and fully stop attack (especially on weekends and involving non-English speaking countries)
• Blocking/filtering at peering points can maintain connectivity (E.g., Cisco CAR/CEF features)
• Third party effects felt elsewhere (e.g., TCP ACK and ICMP "port unreachable" to spoofed networks )

[Next] | [Prev] | [Top]