Security and Stability Advisory
Committee
Securing the Edge
[SAC004]
17 October 2002
SECSAC Paul Vixie, ISC
SAC 004 October 17, 2002
Securing the Edge
Abstract
At every edge of the global Internet are the hosts who generate and
consume the packet flows which, together, form the overall Internet
traffic load. By number, most of these hosts are not secure, leading
to dangerous, untraceable traffic flows which can be used to attack
other hosts. This memo describes some of the security problems "at
the edge" and makes some recommendations for improvement.
1 - Connection Taxonomy
1.1. The Internet is a "network of networks", where the component
networks are called Autonomous Systems (AS), each having a unique AS
Number (ASN).
1.2. Connections inside an AS are called "Interior" (or sometimes
"backbone"), and their security policies are set according to local
needs, usually based on business or technical requirements.
1.3. Connections between ASs are called "Border" (or sometimes
"peering"), and their security policies are set bilaterally according to
the joint needs of the interconnecting parties.
1.4. Connections between an AS and its traffic sources (generators) and
traffic sinks (consumers) are called "Edge" (or sometimes "customer"),
and their security policies are generally, by long standing tradition,
inconsistent.
2 - DDoS Vulnerability
2.1. The most common attack on Internet hosts or infrastructure at the
time of this writing is to cause the receipt of too much traffic,
consuming all available resources on a victim's host or Internet
connection. This is often called a "Denial of Service" (DoS) attack.
2.2. For a DoS attack to succeed, the source or "launch point" must not
be trivially detectable. Therefore, successful attacks employ large
numbers of weak attackers. An attack launched from ten thousand hosts
who each sent ten packets per second would be called a Distributed
Denial of Service (DDoS) attack.
SECSAC SAC 004 [Page 1]
SAC 004 Securing the Edge October 17, 2002 2.3. For a DDoS attack to succeed more than once, the launch points must remain anonymous. Therefore, forged IP source addresses are used. From the victim's point of view, a DDoS attack seems to come from everywhere at once, even from many IP addresses that are unallocated or otherwise invalid. 2.4. A successful DDoS can last for minutes or weeks. Because there is no way to determine who launched it, because the process of identifying and correcting each compromised host cannot be practically undertaken as a means of mitigating the attack, and because filtering out "attack flows" invariably has the side effect of damaging valid traffic, every "cure" is nearly as expensive as just "waiting it out." 2.5. While most DDoS attacks are by bad actors against other bad actors, it is quite common to select a high profile victim for no better reason than bragging rights. At the time of this writing there is virtually always an attack in progress somewhere, and in the foreseeable future these attacks will represent a large permanent share of the global Internet's traffic. 3 - DDoS Vector 3.1. The typical vector for DDoS launches is a personal computer (PC) running operating system and application software that purposely trades off security for convenience. These computers are usually poorly managed, such that there are weak passwords or no passwords, known security "holes" that are never patched or closed, and services offered to the global Internet that the owner has no knowledge and no use for. 3.2. From the point of view of almost any single purveyor -- or consumer -- of operating system and application software, convenience will almost always have more perceived value than security. It is only when viewed in the aggregate that the value of security becomes obviously higher than the value of convenience. 3.3. With the advent of high speed "always on" connections, these PCs add up to either an enormous global threat, or a bonanza of freely retargetable resources, depending upon one's point of view. 3.4. Bad actors, in teams or acting alone, exert constant background effort to locate these hosts, probe them for known weaknesses, and subvert them in any way possible. There are software "kits" available that make all of this trivially easy, so no actual technical skill is needed to locate, subvert, and direct an army of thousands of high performance drones. SECSAC SAC 004 [Page 2]
SAC 004 Securing the Edge October 17, 2002
4 - Remediation
4.1. The foundation of DDoS is anonymity. Even if thousands of hosts
are involved, it is both desirable and possible to filter them out,
report them to their owners, and repair them, one by one -- if and only
if it is possible to learn their identities.
4.2. Source addresses that appear at Border or Interior connections are
nonrepudiable by nature, since flows from an alleged source could
validly occur in either direction at any Border or Interior connection.
4.3. Source addresses that appear on ingress flows from the edge are
generally repudiable, since a typical edge host has no valid reason to
use any source address other than one from the pool assigned by the
"upstream" or "transit" provider.
4.4. Edge source address repudiation -- the dropping of packets with
invalid source addresses upon their ingress across a network edge -- has
more immediate beneficial impact than improving PC security. In
addition to the difference in complexity and variety, PCs outnumber
network edges by at least three orders of magnitude.
5 - Corner Cases
5.1. Multihomed networks who use address space from multiple upstream
providers will occasionally emit packets into upstream "A" using source
addresses that were assigned by upstream "B". In this case, upstream
"A" must be prepared to accept source addresses in address space "B",
and vice versa. This is only a slight complication and does not
invalidate the approach.
5.2. Networks who have their own address space and ASN, and who speak a
dynamic routing protocol such as BGP4, should have their offered routes
filtered by their upstream provider(s) where practical in order to
prevent bad actors from injecting temporary routes to unassigned or
contested address space, from which to launch untraceable attacks.
6 - References
[BCP38]
D. Ferguson, D. Senie, ``Network Ingress Filtering: Defeating Denial
of Service Attacks which employ IP Source Address Spoofing,'' BCP 38
and RFC 2827, IETF Best Current Practice, May 2000. 6.1.
SECSAC SAC 004 [Page 3]
SAC 004 Securing the Edge October 17, 2002
7 - Author's Address
Paul Vixie
Internet Software Consortium
950 Charter Street
Redwood City, CA 94063
+1 650 779 7000
vixie@isc.org
SECSAC SAC 004 [Page 4]
Comments concerning the layout, construction and functionality of this site
should be sent to webmaster@icann.org.
Page Updated
21-Mar-2003
©2003 The Internet Corporation for
Assigned Names and Numbers. All rights reserved.