[josefx]

The UDP packets still have to pass through the network and networks can attach all kind of tracking headers to these packets. So you should be theoretically able to track down the sources of long running attack if every network provider along the line cooperates.

[spiffytech]

UDP doesn't have a notion of key/value headers of arbitrary data (like HTTP does). This is all the metadata that UDP packets include: https://en.wikipedia.org/wiki/User_Datagram_Protocol#IPv4_ps...

If cooperation of intermediary networks is assumed, these attacks can be crippled by convincing ISPs to deny outbound UDP packets claiming source IPs from outside their networks.

[josefx]

> This is all the metadata that UDP packets include: https://en.wikipedia.org/wiki/User_Datagram_Protocol#IPv4_ps...

That is explicitly a simplified representation used only to compute the checksum of the UDP package. It doesn't even include the full IP header, nor does it touch any of the protocols the IP package would be encapsulated in at all. Network tagging and other fun things happen as low as the Ethernet layer.

> these attacks can be crippled by convincing ISPs to deny outbound UDP packets claiming source IPs from outside their networks.

Not sure this would be enough, I think ISPs generally have complete ranges of IP addresses so it would be trivial for an attacker to create a list of "valid" IPs to use.

[spiffytech]

> Network tagging and other fun things happen as low as the Ethernet layer.

I see the IP packet ID field (which appears to have this very use prohibited?) and the 802.1Q VLAN tag on Ethernet frames (a 32-bit value). Is that what you're referencing? Does that mean the idea is each network tagging traffic during transit within their network, with a process for downstream entities to request logged tracking data? I got the impression you meant for the end recipient to receive the intermediate tracking markers alongside the sender's original data, but maybe I misunderstood :)

> Not sure this would be enough, I think ISPs generally have complete ranges of IP addresses so it would be trivial for an attacker to create a list of "valid" IPs to use.

It would prevent the reflection portion of these attacks (a bot could only reflect traffic back into its own IP block, not towards an arbitrary global target), and knowing which networks originated the traffic would enable other countermeasures.

[josefx]

It was more of a half thought out idea than something concrete, currently drawing a blank on how the network would communicate the tracking information outside. I also seem to have misremembered various things about Ethernet tagging. :(

> It would prevent the reflection portion of these attacks (a bot could only reflect traffic back into its own IP block, not towards an arbitrary global target), and knowing which networks originated the traffic would enable other countermeasures.

That makes sense.

[toast0]

Limited anti-spoofing that only allows spoofing within the ISPs ranges is sufficent to stop reflection attacks targeting IPs outside that range, which is usually enough.

It doesn't help much with direct volumetric attacks, but it would potentially make it easier to track (hey ISP, we're getting a lot of traffic evenly divided over your IP ranges, and they can confirm it's coming from their network and maybe figure out where it originates)

[elcritch]

Come to think of it, it’s a bit odd routers don’t in force this by default.

[toast0]

Routers are optimized to know where to send packets given a destination address, not to know what source addresses are valid given a packet is received.

In some cases, it's simple, one address/subnet per port, would be 'easy' to enforce; this is often the case for normal residential connections and commercial users that didn't bring their own IPs. In other cases, networks are connected to networks and what to send there and what is ok to receive may not be the same and may also be dynamic.

[zeroimpl]

Routers know how to figure out what route to use for a given IP.

If they apply this algorithm to the source IP and find that the optimal route to the source is a different interface than it was received on, that’d potentially be a red flag. But if the optimal route to the source is the same as the optimal route to the destination, that’d be a huge red flag.

[toast0]

That really only works if you assume routing symmetry and a single optimal route.

[elcritch]

I was mainly thinking of ISP routers for residential/small businesses which seemingly make up a large portion of DDoS traffic.