[pjc50]

> top priority change of the Internet

See you in thirty years.

Also, IP authentication doesn't help you. DDOS traffic often has real IP source addresses on. It tells you that the traffic is several hundred thousand home PCs. Now what?

[mhandley]

If you knew for sure that an IP src address involved in a DDoS attack was not spoofed, we could easily design a control protocol that allowed a recipient to contact the origin ISP and enable a block on that particular {src,dst} pair. Unless you know for sure that the src address isn't spoofed though, such a mechanism would itself be abused to deny service. Having the ability to validate a source address would be the enabler for proper defense mechanisms.

We wrote about one way to do this about ten years ago, but no-one was really interested at the time: http://www0.cs.ucl.ac.uk/staff/M.Handley/papers/terminus2007...

[oarsinsync]

> Unless you know for sure that the src address isn't spoofed though, such a mechanism would itself be abused to deny service.

Unfortunately, even if you know that the source address isn't spoofed, such a mechanism would itself be abused to deny service

[wang_li]

Trying to cause serious mayhem with spoofed addresses is pointless. Most DDOS comes from bot nets, not from the attacker's personal resources. If you deployed a system that tried to spoof addresses all the needs to happen to eliminate 90% of your attack is for Comcast and co. to implement edge filtering such that traffic inbound from people's computers is dumped if it's not an address that can reasonably come from that origin.

And, since each additional node in the bot net has zero marginal cost, why bother trying to hide the device anyway?

[chmike]

Bots use real address because nothing is done to track them and require the owner or OS provider to fix them. They currently have no incentive to fix the problem.

Collecting the source IP addresses of a DDOS attack is the first thing that could be done. Then progressive pressure should be put to enforce fixing the computers and get rid of the bots. OS with weak security would then feel the pain.

The day this is done, the next step will be to use forged source IP address. What would be the incentive for ISP to pay the price to filter packets ? As long as no one will be able to prove that the packet is forged, they won't do anything.