IETF Logo Mail Archive

Re: [77attendees] Bar BoF: ip traceback

Chris Morrow <morrowc@google.com> Thu, 25 March 2010 18:35 UTC

Return-Path: <morrowc@google.com>
X-Original-To: 77attendees@core3.amsl.com
Delivered-To: 77attendees@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7729D3A6D95 for <77attendees@core3.amsl.com>; Thu, 25 Mar 2010 11:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.547
X-Spam-Level:
X-Spam-Status: No, score=-99.547 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mnr6joETftXo for <77attendees@core3.amsl.com>; Thu, 25 Mar 2010 11:35:24 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id ACC6A3A6D6E for <77attendees@ietf.org>; Thu, 25 Mar 2010 11:33:03 -0700 (PDT)
Received: from wpaz9.hot.corp.google.com (wpaz9.hot.corp.google.com [172.24.198.73]) by smtp-out.google.com with ESMTP id o2PIXJKI018720 for <77attendees@ietf.org>; Thu, 25 Mar 2010 19:33:20 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1269542000; bh=vJPoPDjxdFaYg+skoa55CA3LuNk=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=jqo28GwYrlc8Fd5OUog+sLigzeXTNECNZ8KSOirnf9+goq7oPEl8Nby4tMhNIkRSb ebwBMJOcrIyUAjKSkIBxA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=FEnNWfqYO2NxMnLH1vfRAX1PeTFhkQNCrP68k6/vPE70jnQUhKT0BpLH6kFIqW3EZ lkLtyTsWHS0Y9yxHfSuWw==
Received: from qw-out-1920.google.com (qwf5.prod.google.com [10.241.194.69]) by wpaz9.hot.corp.google.com with ESMTP id o2PIXIU1012447 for <77attendees@ietf.org>; Thu, 25 Mar 2010 11:33:18 -0700
Received: by qw-out-1920.google.com with SMTP id 5so820603qwf.18 for <77attendees@ietf.org>; Thu, 25 Mar 2010 11:33:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.221.78 with SMTP id ib14mr70367qcb.28.1269541998233; Thu, 25 Mar 2010 11:33:18 -0700 (PDT)
In-Reply-To: <BDC8FFC0-FD16-47FF-AEBE-68A97FB8694F@checkpoint.com>
References: <4BA8BCE3.5020309@is.naist.jp> <4BA95B6A.5040707@is.naist.jp> <4BAB0464.2010307@is.naist.jp> <4BAB7A4D.7070904@piuha.net> <8133D17D-D9B6-40A6-AE9B-80BF90A5223D@checkpoint.com> <4BAB936E.6010307@piuha.net> <C3960BE0-9093-4863-8AAE-62BEAB197E6D@checkpoint.com> <c7cec2131003251049q7c5da6d1i9d0bd94cf9a8ec9@mail.gmail.com> <BDC8FFC0-FD16-47FF-AEBE-68A97FB8694F@checkpoint.com>
Date: Thu, 25 Mar 2010 11:33:18 -0700
Message-ID: <c7cec2131003251133k39ca6b80r17524083ef10455@mail.gmail.com>
From: Chris Morrow <morrowc@google.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "77attendees@ietf.org" <77attendees@ietf.org>
Subject: Re: [77attendees] Bar BoF: ip traceback
X-BeenThere: 77attendees@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <77attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/77attendees>, <mailto:77attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/77attendees>
List-Post: <mailto:77attendees@ietf.org>
List-Help: <mailto:77attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/77attendees>, <mailto:77attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2010 18:35:26 -0000

On Thu, Mar 25, 2010 at 11:15 AM, Yoav Nir <ynir@checkpoint.com> wrote:
> On Mar 25, 2010, at 10:49 AM, Chris Morrow wrote:
>
>> On Thu, Mar 25, 2010 at 10:40 AM, Yoav Nir <ynir@checkpoint.com> wrote:
>>>
>>> On Mar 25, 2010, at 9:46 AM, Jari Arkko wrote:
>>>>> My own, personal conclusion was that this was interesting and has potential. There *is* work to be done (two different versions that they wrote did not interoperate properly) and since success requires wide adoption by ISPs, I believe that the IETF is probably the right place for this.  But these are just my personal opinions, and I have no idea if we can get enough people to actually work on this.
>>>>>
>>>>> I suggest that the correct next step is for the authors to contact one or more ADs. Though this seems directly related to security, the fact that this would be a protocol that would run between AS edge routers, it could fall to other areas as well. So I think the next step should be scheduling a BoF for next IETF, and making sure that the right people are there.
>>>>>
>>>>
>>>> The question in my mind is: is the world interested in this technology. Previous IETF efforts in traceback failed IMO due to lack of operator/vendor interest. We should not create new efforts unless that interest surges again. Is it surging, and if so, why?
>>>>
>>>> Jari
>>>
>>> We've heard that attack packets now take up a significant portion of the traffic on the
>>> Internet. Specifically members of bot-nets create congestion for ISPs. There is a chance
>>
>> where is this statistic? as near as I know/recall it's no where near
>> 'significant portion' in general. Certainly there are times when
>> individual links see this as the case (mostly edge/customer links).
>
> I've heard it in some talks. There's also this, but it's not based on statistics:
> http://sparrow.ece.cmu.edu/group/pub/studer_esorics09.pdf

"Abstract. Current Denial-of-Service (DoS) attacks are directed towards
a specific victim. The research community has devised several counter-
measures that protect victim hosts against undesired traffic.
We present Coremelt, a new attack mechanism, where attackers only
send traffic between each other, and not towards a victim host. As a
result, none of the attack traffic is unwanted. The Coremelt attack is
powerful because among N attackers there are O(N 2 ) connections, which
can cause significant congestion in the network core. We demonstrate the
attack based on simulations within a real Internet topology using realistic
attacker distributions and show that attackers can induce a significant
amount of congestion."

this describes a potential attack scenario which in almost all cases
won't actually harm the network, most edge links are smaller than the
core facing ones on a reasonably built isp network. Certainly a single
endpoint can be overwhelmed, but I don't think this has been shown to
be a problem in practice (this attack I mean).

> Of course it makes sense that a DDoS attack against a particular network will cause
> congestion at the ISP serving that network, so the ISP may be interested in cooperating
> with other ISPs to detect the bots who may participate in such an attack.

as a person who did this for quite some time, and does it today at a
non-isp company... there are plenty of methods available to do this
today, already integrated into the infrastructure that providers use.

>>
>>> that now they would be more interested in deploying traceback technology than in the past,
>>> when Internet attacks were a problem only for the end users.
>>
>> probably not, no... the traceback options from the past nearly all had
>> significant penalties on the routing equipment in the network, that
>> was a showstopper then, and will be today.
>>
>>> We have at least anecdotal evidence of such interest, in that 15 Japanese ISPs have agreed to participate in this experiment on their production networks. This must count for something.
>>>
>>>
>>> Anyway, a BoF with the relevant people present is, IMO, the best way to gauge the interest.
>>>
>>> So the next steps are to set up a BoF for IETF 78, and to set up a mailing list, where
>>> hopefully we can hear from the operators.
>>
>> hopefully announce it early :) I'd love to attend.
>
> Me too.

sweet!

v2.23.0 | Report a Bug | By Email