Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > July 2, 2001 issue

How to stop a service denial attack before it stops you

Who can you trust? One man is making a list

There’s only one sure way of stopping the spread of distributed denial-of-service attacks: Take away hackers’ ability to spoof IP addresses.

It then becomes possible to trace and shut down the offenders—and to prosecute them.

“The processing power of the Internet is distributed, and so is the responsibility,” said security expert Steve Gibson of Gibson Research Corp. of Laguna Hills, Calif. “Everyone needs to take some.”

Stop outgoing packets

He supports widespread configuration of routers for so-called egress filtering. If a packet leaving a network doesn’t have a proper originating IP address within that network, then the router drops it before it can reach the Internet.

Often egress filtering requires adding only one line of code to a router configuration.

“If the major Internet service providers took responsibility for traffic egress from their networks, then no one could spoof an IP address from within those networks,” Gibson said. “Even if a zombie [program] got into one of their customers’ machines, it would be limited to the range of addresses in a specific section of a network.”

Of course, it’s tough to get the entire Internet to cooperate. But Gibson has set up the Spooferino project to push things in that direction.

Spooferino is a downloadable software tool that sends a spoofed packet from the user back to Gibson’s site, at www.grc.com.

From the data returned by Spooferino, Gibson is building a directory of providers that are not blocking spoofed traffic.

Shunning some ISPs

“It will start a discussion about who does and who doesn’t filter,” Gibson said. “ISPs that do not allow spoofed traffic out on the Internet are taking responsibility. Now look at my list of the ones that are not being good neighbors. Why not? It’s certainly easy enough to do the filtering.”

He said he hopes for an eventual confrontation. Some parts of the Internet will threaten to close themselves off from the parts that are not trustworthy. That could mean big trouble for heedless providers.

Gibson believes they will fall into line to avoid being boycotted by the rest of the Net.

Big backbone providers could amend their contracts to say they won’t renew bandwidth agreements unless the providers take responsibility for the dirt they’re now allowing on the Net.

Government agencies can participate in this cleansing effort by requiring egress filtering on their routers.

—Shawn P. McCarthy

Previous << 1 2 3

More news on related topics: IT Security



GCN Popup