January/February 2018 issue of acmqueue

The January/February issue of acmqueue is out now


  Download PDF version of this article PDF

ITEM not available


Originally published in Queue vol. 12, no. 2
see this item in the ACM Digital Library



Arvind Narayanan, Jeremy Clark - Bitcoin's Academic Pedigree
The concept of cryptocurrencies is built from forgotten ideas in research literature.

Geetanjali Sampemane - Internal Access Controls
Trust, but Verify

Thomas Wadlow - Who Must You Trust?
You must have some trust if you want to get anything done.

Mike Bland - Finding More Than One Worm in the Apple
If you see something, say something.


(newest first)

cianci | Thu, 17 Apr 2014 09:39:53 UTC

Read Network Time Foundation's response to the DRDoS attacks learn how to stop these attacks in their tracks here: http://compravendita.ch

J Bohm | Sat, 12 Apr 2014 21:24:02 UTC

Two things that could be done:

1. Have upstreams and IX-es start penalizing network that let out packets that should have been stopped by SAV/egress. In other words, for every packet caught by address ingress filters at the upstream, charge the downstream an unpleasantly large fee, such as $1/packet. This will provide a financial incentive for the practice to spread downward to the lower tier ISPs and to other tier 1 entities, as each entity gets the economic choice: implement filtering and/or charge $1+profit from the next level. $1 may not seem much, until you multiply by the bandwidth of such wholesale connections (typically around a million packets/second or more), then the cost of non-compliance becomes glaringly obvious.

2. Someone like ISC should publish a reference library similar to the DNS RRL code, but disembodied from any specific protocol. Protocol implementers would simply call it with a purported source address of a packet soliciting a stateless reply, and the library would return block/don't block based on the library's internal statistical and timing logic. The library-using protocol implementation will decide which packet contents and protocol state imply an unconfirmed return address, while the library will simply look for unusually frequent addresses.

3. Finally ISP level routers could start offering ICMP amplification filters: If a source address send repeated error ICMP messages concerning specific traffic, rate limit such traffic to that source address. If the error message rate approaches the rate of actual packets going downstream, also start synthesizing identical ICMP packets for the discarded packets in order to trigger the next routers upwards. But if the ICMP error messages exceed the volume or other statistic property of the packets (such as counts of various hashes of the initial bytes) being complained against, reverse the filtering and treat the errors as an ongoing DDOS abuse of the ICMP amplifier itself. The benefit to ISPs is not transporting as many DDOS packets, leaving the bandwidth for legitimate paid traffic. Note that this logic would be semi-dumb, in that it does not need to understand the traffic, just the established ICMP error messages. The smart edge decides what traffic it wants rejected by simply doing so, and the smart edge operators can adjust the rejection based on actual traffic desires.

Tisha | Thu, 20 Feb 2014 00:35:03 UTC

If you haven't had a chance to read Network Time Foundation's response to the DRDoS attacks, take a moment to do so, and learn how to stop these attacks in their tracks here: http://nwtime.org/ntp-winter-2013-network-drdos-attacks/

Tristan Slominski | Sun, 16 Feb 2014 17:17:14 UTC

SAV is not the only solution to this problem. Consider the Object Capability perspective where the destination addresses are "unguessable."

Unfortunately, we don't seem to have enough bits in our current protocols and infrastructure to provide enough address space where we can assign addresses to everything that needs them while keeping the used address space sparse enough to make them practically unguessable through random search.

David Collier-Brown | Tue, 11 Feb 2014 14:12:21 UTC

And, just to add emphasis to the article, we have a massive NTP-based DDOS running this morning: see http://tech.slashdot.org/story/14/02/11/0349259/ddos-larger-than-the-spamhaus-attack-strikes-us-and-europe

--dave [email protected]

Paul Vixie | Mon, 10 Feb 2014 04:26:46 UTC

Yes, it's (ultimately) self destructive to skimp on things like SAV. However, the "chemical polluter" business model is very attractive to management teams and shareholders: the profit occurs "here" whereas the damage, and the costs shifted onto the larger economy, occur "down there".

See also:


David Collier-Brown | Sun, 09 Feb 2014 00:57:47 UTC

I've had customers who bewail in turn the people providing internet services, because they won't do such end-user-protective things as source-address validation and you've-become-part-of-a-botnet detection.

I'm still a bit surprised that that's the case, and wonder why large customer ISPs like Rogers in Canada (one of our duopoly, along with Ma Bell) doesn't do SAV.

I assume they aren't in the business of renting out botnets, so I'm puzzled at them not doing basic tasks to keep their customers from being the target of botnets and DDOS attacks.

Surely it's being self-destructive of them?

--dave [email protected]

Leave this field empty

Post a Comment:

© 2018 ACM, Inc. All Rights Reserved.