GRC.COM Denial of Service Pages
Unlike a break-in attempt, a DoS attack seeks only disrupt a target machine, not access any of it's information or other resources. Thus the attacker only needs to send data to the target machine, he doesn't need to get any back. So, to prevent the attack from being traced, the attacker can insert a fake source address into the offending packets. A single malicious packet arriving at a network node won't do much: without a valid return address, no data connection can be established and the packet is eventually ignored. The key word is eventually: in the meantime, some small amount of the node's resources are used processing and keeping track of the packet. Send thousands of packets packets per second, and now you are talking about serious resource squandering and a disruption of service to legitimate traffic.
Every router on the Internet is capable of squelching faked source addresses and thus preventing attackers from hiding their location. (There are other ways to hide, but they aren't nearly as effective as source spoofing.) But by default this option is turned off. Cisco claims this is because of performance concerns. They claim that the CPU time needed to check that the source network of an outgoing packet matches one of those serviced by the router would increase processing overhead by as much as 30%.
First, let me express my opinion that this is bullshit. Small routers generally only have one or two uplinks and service a single local network. The check would be insignificant compared to the time it takes just to move the packet from one interface to another. Large routers have to compare the destination address to a table of dozens, if not thousands, of networks to find the right uplink. Adding a check of the few possible source addresses is again miniscule. The only place where checking would be a significant burden would be on backbone routers where the number of possible source networks is large. But if the local routers would do their jobs, checking on the backbone would not be necessary.
The real reason that Cisco doesn't want to ship routers that default to source checking is economics: DoS attacks don't cost them anything but making router configuration even slightly more complicated does. The average person installing a router has no clue how it works or how to configure it. Turning on source quelching would add to the configuration requirements, which means more tech support calls and more costs for Cisco.
Like most Internet security issues, the real problem is that the people responsible for keeping the Internet secure, the system administrators and their employers, are not doing their jobs. Everyone would benefit if everyone properly configured their networks to be safe and secure. But even high profile targets like government agencies and e-commerce sites have been unwilling to expend the necessary effort to ensure security. Sources like ISPs simply perceive no incentive to be secure.
The vast majority of problems on the Internet are caused by ignorance. Maybe we need some incentive to force individuals and companies to pull their heads out of their asses and pay attention to what they are doing.
GRC.COM Denial of Service Pages
This rant solely reflects the opinion of the author, probably while he was half asleep, drunk, or otherwise incapacitated. It does not necessarily reflect the actual opinion of DEI, it's associates, or possibly the author in a more concious state. Hate mail will be prosecuted. Constructive criticism may be posted or ignored. Have a nice day.
DataExpedition.com -
March 1, 2000