Mirror Magazine - Step by step

Last week we discussed a few methods of protecting web-services from DoS attacks and security measures that can be taken by a host during a DoS attack. However, I also mentioned that host Networks and ISPs are more capable of shielding their clients from DoS in terms of both long-term and short-term services. Presently the costs discourage ISPs from offering such services to their clients. Costs include processing overheads, bandwidth overheads, technical resources and a larger IP address space.

Since it is not likely that the administrator will be able to quickly stop the DDoS flood, there are a few steps that can be taken by the host network or ISP, which might help mitigate the attack temporarily. If the target is a single machine, a simple IP address change by the host network can end the flood. The new address can be updated on internal DNS servers on the host network, and given to a few crucial external users. This is especially useful for key servers (ex: email or database) under attack on one's network.

Host networks could analyse data flow in the network to detect ongoing DoS attacks or predict them sufficiently early to be able to avoid them altogether. However, this is a complex task costing a substantial amount of processing and bandwidth to the network as overheads. This task could be further complicated by bursty traffic, and as a result of these complications, most ISPs and Host networks do not offer this service. Host networks can also facilitate a change of address for the victim during an attack, and update the change of address on internal DNS, and make the new address available to critical users.

Long-term responses
Typically, long-term responses involve tracing attack packets to their multiple sources and blocking off the attack, collecting forensic evidence, identifying the suspected perpetrators and taking legal action where applicable. The first thing to start is the investigative process. First it must be determined which core router is passing the attack packets to the border router. Then the owners of the core router can be contacted (most likely a telecom company or the internet service provider) and informed about the problem. They, in turn, need to determine where the malicious traffic reaches their network and contact the source. Thus the attack can be defused at its source(s). Techniques for tracing back spoofed IP packets include ICMP trace back, which is an Internet Control Message Protocol (ICMP) trace back technique. This usually takes a long time to resolve multiple sources of spoofed IP packets. It is an effective technique only when used under a heavy stream of continuous attack traffic from a source and generates a significant amount of overhead traffic in the network.

Marking it
Packet marking is an alternate technique where edge routers mark the source address of a packet in the redundant 16bit identification segment in the IP header. An ID header is only 16 bits long, and thus in packet marking, it takes more than two packets to store an IP address length of 32 bits. Each packet passing through a router is marked with the fraction of its source address in deterministic packet marking methods, or randomly in probabilistic packet marking methods, each technique bearing various different enhancements and variations. In a DoS attack, the victim's end needs to have at least two (in most cases it could take at least five) attack packets from the same source in order to determine their origin. A packet may contain either the first or second half of the source address, and therefore at least two packets are needed to construct the source address. Present packet marking techniques are not compatible with IPv6, because IPv6 does not have significantly redundant headers.

We will carry this discussion further into the different packet marking techniques, and recent developments in this area. You are welcome to join the discussion by writing into technopage@gmail.com