Check out the new USENIX Web site. next up previous
Next: Distribution Up: Discussion Previous: Discussion


IP spoofing

MULTOPS in victim-oriented mode is not influenced by IP spoofing. However, MULTOPS may impose ``collateral damage'' by dropping legitimate packets going to the victim.

When attackers randomize IP source addresses--a common practice--then a problem arises for MULTOPS in attacker-oriented mode. There could be so many different (spoofed) IP source addresses that MULTOPS does not have enough available memory to establish all ``malicious'' IP source addresses. In that case, MULTOPS can establish a set of prefixes that malicious IP source addresses share. Better randomization implies shorter address prefixes. Shorter prefixes implies that MULTOPS drops more packets, which may include legitimate packets. In other words: collateral damage as a result of MULTOPS' dropping policy is greater when IP spoofing gets more randomized.

When attackers perfectly randomize IP source addresses, each malicious stream of packets with a common IP source address (or prefix) is either too insignificant to be seen as part of an attack, or all malicious streams are seen as part of an attack. In the former case, MULTOPS does not detect the attack at all. In the latter case, all packets are considered part of an attack, and, hence, dropped. Both cases constitute a successful denial-of-service attack.


next up previous
Next: Distribution Up: Discussion Previous: Discussion
2001-05-11