Check out the new USENIX Web site. next up previous
Next: Different protocols Up: Discussion Previous: IP spoofing


Distribution

The IP spoofing problem described above closely relates to the problem of attacker distribution. As more (spoofing or non-spoofing) attackers participate in a bandwidth attack, it becomes harder (for MULTOPS in attacker-oriented mode) to identify a single attacker because its relative share in the total mass becomes smaller and, therefore, the disproportional quality of the traffic less conspicuous.

When a total number of $T$ packets per second is required to crash the victim's infrastructure, and $N$ attackers participate, then each attacker needs to generate an average of $T/N$ packets per second. As $N$ gets larger, $T/N$ gets smaller.

Even though MULTOPS' sensitivity can be tuned, if $N$ is too large and, consequently, $T/N$ too small, one single attacker might go undetected by MULTOPS. If, though, attackers do not spread out geographically, their combined generated traffic might go through a single MULTOPS-equipped router that could decide to drop all the packets. Even if the attackers are perfectly distributed throughout the world, the malicious packets get funneled on their way to the victim by routers. The chance of being detected as a malicious stream by one of these routers gets larger as the stream gets more bundled (and, thus, packet rates become more disproportional).


next up previous
Next: Different protocols Up: Discussion Previous: IP spoofing
2001-05-11