[chmike]

I totally disagree that we can't do anything. With the existing TCP/IP protocol we can't do anything because it's possible to forge the origin IP address or modify the datagram content on its route to destination. A receiving end has no way to verify the validity of the datagram.

An IP datagram authentication at the lowest level is required so that anyone on the route can detect forgery, error or tempering with the data. This would allow tracking the real sources of DDOS attack, diagnose the cause and fix it.

What's the point of keeping digging deeper trenches ?

This should be a top priority change of the Internet. There was no incentive to move to IPv6. Now there is one to move to a more secure Internet.

[pjc50]

> top priority change of the Internet

See you in thirty years.

Also, IP authentication doesn't help you. DDOS traffic often has real IP source addresses on. It tells you that the traffic is several hundred thousand home PCs. Now what?

[mhandley]

If you knew for sure that an IP src address involved in a DDoS attack was not spoofed, we could easily design a control protocol that allowed a recipient to contact the origin ISP and enable a block on that particular {src,dst} pair. Unless you know for sure that the src address isn't spoofed though, such a mechanism would itself be abused to deny service. Having the ability to validate a source address would be the enabler for proper defense mechanisms.

We wrote about one way to do this about ten years ago, but no-one was really interested at the time: http://www0.cs.ucl.ac.uk/staff/M.Handley/papers/terminus2007...

[oarsinsync]

> Unless you know for sure that the src address isn't spoofed though, such a mechanism would itself be abused to deny service.

Unfortunately, even if you know that the source address isn't spoofed, such a mechanism would itself be abused to deny service

[wang_li]

Trying to cause serious mayhem with spoofed addresses is pointless. Most DDOS comes from bot nets, not from the attacker's personal resources. If you deployed a system that tried to spoof addresses all the needs to happen to eliminate 90% of your attack is for Comcast and co. to implement edge filtering such that traffic inbound from people's computers is dumped if it's not an address that can reasonably come from that origin.

And, since each additional node in the bot net has zero marginal cost, why bother trying to hide the device anyway?

[chmike]

Bots use real address because nothing is done to track them and require the owner or OS provider to fix them. They currently have no incentive to fix the problem.

Collecting the source IP addresses of a DDOS attack is the first thing that could be done. Then progressive pressure should be put to enforce fixing the computers and get rid of the bots. OS with weak security would then feel the pain.

The day this is done, the next step will be to use forged source IP address. What would be the incentive for ISP to pay the price to filter packets ? As long as no one will be able to prove that the packet is forged, they won't do anything.