RealTime IT News

IETF Proposal Tackles Attacks

The Internet Engineering Task Force is requesting comments on its April proposal to re-craft RFC1122 designed to help network administrators reduce the use of Smurf amplifications in distributed denial of service attacks.

The IETF work-in-progress proposes that in addition to standards set by RFC1122, Internet service provider technicians should augment ingress filtering. The proposal is designed to specifically limit the use of broadcasting over local area networks when an intruder unleashes a DDoS attack.

The solution suggested by RFC2644 is for routers only, while the proposed solution is intended for end-nodes. If DDoS Smurf attack is generated using local broadcast, the solution won't prevent the attack.

An Internet Control Message Protocol is a message control and error-reporting protocol between a host server and a gateway to the Internet. ICMP uses Internet Protocol datagrams, but the messages are processed by the IP software and are not directly apparent to the application user.

It remains a sticky situation for network administrator's attempting to determine whether a LAN broadcast is legitimate, or forged.

A Smurf attack is initiated by sending an ICMP Echo Request packet to an IP directed broadcast address. The source IP address is the e-mail of the victim. All the machines from the destination network respond back with an echo reply to the victim, thus generating a Smurf denial-of-service attack.

Recent denial-of-service attacks have illustrated that such action can be readily taken from single entry point against many remote networks. The impact of malicious code writers on computers is well known. In one of the most brazen DDoS attacks earlier this year, hackers bombarded Yahoo Inc. , Amazon.com Inc. , and others with millions of messages that led to server crashes.

The IETF proposal recommends that each router impacted by a Smurf attack be disabled and set up to receive the directed broadcast by default. Each host may discard an ICMP Echo Request destined to an IP broadcast through human intervention with the LAN. Internet service provider routers should implement ingress filtering to prevent forged data packets from leaving their network boundaries.

The general practice would provide a redundant barrier to Smurf attacks. Each operating system can choose either to respond or not to respond to broadcast ICMP Echo Request.

The latest DDoS attack changes the way of generating the Smurf attack. In this scenario, the attacker compromises a system within a network and uses that entire network to launch an attack against another network destination.

The problem remains that such tactics do not travel through a router, so the proposed solution does not stock the attack. All the machines in the network which do not discard broadcast ICMP packets will respond back with an ICMP Echo Reply to the victim, which generates a DDoS Smurf attack. In this instance, ingress filtering on the part of ISPs does not help prevent the service disruption.

All the same, the proposal would stop one form of LAN-based attacks. While the IETF work-in-progress is scrambling to prevent future attacks, the group is currently seeking comments of the new draft.