The “Evil Bit” Revisited: Blocking DDoS Attacks with AS-Based Accountability. Dan Simon Sharad Agarwal Dave Maltz Trustworthy Computing April 8, 2006. The Solution to DoS is Already Here!. Network Working Group S. Bellovin
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
The “Evil Bit” Revisited: Blocking DDoS Attacks with AS-Based Accountability
Dan Simon Sharad Agarwal Dave Maltz
April 8, 2006
Network Working Group S. Bellovin
Request for Comments: 3514 AT&T Labs Research
Category: Informational 1 April 2003
The Security Flag in the IPv4 Header
Paraphrasing the rest of the RFC:
Firewalls ... and the like often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. The problem is that making such determinations is hard. To solve this problem, we define a security flag, known as the "evil" bit, in the IPv4 header. Benign packets have this bit set to 0; those that are used for an attack will have the bit set to 1.
Company running a website
You are here
Your customers are here
Some of them want to hurt you
Can hit the application layer or the network layer
Network-layer DoS can attack any application
Allows a DoS target to distinguish DoS traffic sources (not just IP address), and block all traffic from them
Both measures are best implemented at the source ISP
Easiest case to detect: AS claims to install filters when requested, but doesn’t
Hardest case to detect: AS claims to perform ingress filtering, but doesn’t
Say you want to protect against 50,000 bots@128Kbps/bot....
(Okay, Computer Networking folks—you can uncover your ears now….)