Egress Filters - Can They Solve The DDoS Problem?

dhammabum asks: "Considering that egress filtering is the fundamental way to prevent distributed denial of service attacks (DDoS), could ARIN, APNIC, RIPE, and national NICs band together and force registered IP address holders to apply egress filters against their networks? It seems to me this is the only way to truly stop this problem (and reduce other crack methods), and NICs have the authority to actually enforce it -- no filter, no routing of your packets. I can't, though, think of an easy way to test it. What do you think, is this a practical measure? Or do packets, along with information, 'want to be free'?"

Egress Filtering Doesn't Work

[rwash]

Egress filtering just doesn't work against DDoS attacks. As such, they are a bad idea.

Here is a problem. I have a connection to the rest of the internet. It is only so wide. Almost everyone I know could use greater bandwidth. What do egress filters do? They limit the bandwitdth to even less than we currently have. So, if I have a T1 to the internet, with egress filters I can now only use half of that bandwidth. This really annoys users. Cutting down their bandwidth for arbitrary reasons doesn't help much.

But, if they are effective, it might be worth it. But they are not. Egress filters work by filtering the data coming from a source down from the full bandwidth availble to some less amount of bandwidth. So, if I have a T1, I can now only use half of it to flood a victim. But chances are I am sharing this T1 with other people and I won't be able to use the full thing anyhow. But the DDoS doesn't care about this. It takes a little bandwith from you, a little bandwidth from your neighbor, and after enough people are added together, you have a rather large stream of data flooding the victim.

DDoS attacks do not work if all the "zombies" are all on the same network. Then they are limited by the one connection that network has to the victim (usually on a totally different area of the internet). So the DDoS comes from many many different places on the internet, from different backbone carriers and different ISP's. This is the only way for a DDoS to be effective.

So limiting one person's bandwidth does not hurt the DDoS, but it does hurt the person whose bandwidth that they paid for you are taking away. Most DDoS attacks use so much bandwidth that cutting it down by a factor of 2 will not stop anything. They usually have orders of magnitude more data than they need because much of it is already filtered by the bandwidth limitations of the "zombies".

The reason DDoS attacks are difficult to prevent is because they were specifically designed into the system. Yahoo was DDoS'ed. How can Yahoo tell the difference between a DDoS attack and all of the sudden millions of users flocking to use Yahoo? When it is users, it is called the Slashdot Effect. When it is zombies, it is called a DDoS. It is the same thing, and anything that prevents one will prevent the other.

Rick Wash

P.S. I have done some work with DDoS clients. See http://biocserver.cwru.edu/~jose/shaft_analysis/no de-analysis.txt [cwru.edu]

Re:Egress Filtering Doesn't Work

[bferrell]

It's not like egress filtering "narrows" available bandwidth. It simply prohibits harmful transmissions from escaping a given network. The real problem is that unless everyone applies egress filtering, it really doesn't work. Similar arguments were made when spam started being a problem to, so who know, maybe it will work.

Re:Egress Filtering Doesn't Work

[dougmc]

Egress filtering doesn't limit bandwidth. It makes sure that packets leaving your `network' have the appropriate source IP address. If they don't, they don't pass the filters. This should have *no* effect on any legitimate traffic (unless somebody has a misconfigured dual-home setup.)

And to answer the question, YES, they could solve a large part of the DDoS problems that the Internet has been seeing for years. People have been saying this for years -- and they're right!

It won't solve *all* of the DDoS attacks, but the ones that it doesn't stop outright will suddely become much easier to track down. Alas, this will only be true if *everybody* egress filters, and this won't happen overnight ...

There's a few reasons why it's not as popular as it should be -

1) people don't care. Egress filtering doesn't protect you from attack, it just helps keep your network from being used to attack others. It's a subtle difference, but important. We ran into the same problem when we tried to get people to fix their networks so they couldn't be used as smurf amplifiers.

2) when a network IS used to spoof packets, the packets are spoofed -- it's very difficult to find out where they came from in the first place, so you can't just email the originating network and tell them to do egress filtering. When you're under attack, you have no way of knowing who's network needs egress filtering.

3) it does use up router CPU. This sort of filtering, while cheap, is not free.

With some luck, the large backbones will be able to start doing egress filtering (or, for them it may be ingress filtering, depending on how it's configured) and do it, even if their customers won't. Time will tell.

Many things could solve the problem, but WILL any?

[bluGill]

Sure, filtering could solve the problem. So could changing attitudes so that nobody does DDoS attacks. As could... As could changing IP so that the mac of all recived from hosts are appended to the headers. As could...

There are many solutions. Odds are however that nobody will impliment any. The problem is people who want to attack others. (For whatever reason generally silly ones that don't stand up to logic though)

Tracing Attack

[SEWilco]

Egress filtering should be done, both to block outgoing attacks and to protect others from mistakes within your network. ISPs have more difficulty doing it, but every private/corporate net should be doing it.

However, there also has been a proposal to deal with tracing a DOS. I can't find the reference at the moment, but it involves having routers randomly place routing tags in unused header fields -- partial info is inserted, but with a DOS attack there are so many repetitions that the routing data can be rebuilt at the destination.

Hopefully this could be it

[ohtani]

True, there are many ideas that could work to stop DoS and DDos attacks and such, and they may not be implemented by everyone. But the key to this story may not be the TYPE of filtering, but WHO would REQUEST it.

Even if we did some sort of slashdot effect with e-mail, by e-mailing many ISPs, they don't have to do it, and may not even listen to us. They would have to listen to the routing authorities. It would be quite pointless to have an internet connection that you can't use.

The packets should be free, to a certain extent. Anything that can stop something that would be obviously illegal would be fine. Something like sniffing for text information would NOT. Even though it could MAYBE prevent terrorism, it'd just fall under the government needing encryption keys. If you DO think packets should be free and not filtered, it'd be like saying it's ok to yell "fire" in a crowd cause of free speech. "Free speech" doesn't constitute "clear and present danger", nor does the "freedom to transmit information" constitute "ip spoofing"

Re:Tracing Attack

[frankie]

there also has been a proposal to deal with tracing a DOS.

I remember that too. I think it was probably this article [slashdot.org]. Also, ingress filtering [slashdot.org] was discussed (on the main page) not long ago.

The main problem with the "added tags" proposal is the same problem with egress filters -- it only works if the majority of ISPs are willing to spend money and time updating their routers. Given that egress filtering would flat out stop spoofed DDoS attacks, while tagging would only identify them, the proposal did not generate much interest.