The Top Seven Things Wrong with the Internet. The Internet is in serious need of an upgrade in a number of areas. Some of these problems already have fixes, they’re just not being rolled out because it’s considered too hard, or there are large vested interests in maintaining the status quo. (This was originally going to be a top ten, but I ran out of writing time during my lunch hour. I may amend the list later.) (1003 Words) [The Fishbowl]
To address some of your points:
1. DDOS attacks.
ISP’s already have the ability to contain some of these and make them less damaging. Its called something like ‘Packet Egress Filtering’. One of the ways that DDOS attacks like SYN floods and the ‘ping of death’ work is that they get lots of machines to send packets with spoofed IP addresses. In the example of SYN floods (as I understand it – I may be wrong) zombie machines are instructed to send out TCP SYN requests (the initial ‘handshake’ request for opening a connection to another machine), with the source IP spoofed to be that of the machine being targeted for the denial-of-service. A server receiving a SYN request will send an ACK response to the source IP to acknowledge the connection. If sufficient zombies are all sending spoofed SYN packets, the target is buried under a flood of ACK packets all coming from well-meaning servers that are under the impression it tried to initiate a connection with them. The really sneaky part is that each individual middle-man machine would only see a very minor increase in traffic, as its the aggregated total of all the middle-men sending ACK’s that swamps the target system. A variation of this (I’m more fuzzy on this one so I may be even more wrong) is sending SYN packets directly to the victim system, with source IP’s spoofed to be non-existant. The victim will try and send an ACK response, which will go nowhere, so it will try again, several times before giving up. Given enough SYN packets, it will eventually be spending its entire time trying to send ACK’s and not servicing genuine requests.
How does egress filtering address these issues? An ISP knows which IP address ranges belong to it, and could put this data into their routers, such that any packet that arrives at the inside edge of their network that claims to be from an IP that is NOT within the ISP’s allocated range could simply be dropped. This would prevent packets with spoofed source IP addresses ever getting out of the originating network.
This is about the limits of my knowledge on this. More info:
3. IP numbers.
IPv6 is on its way, with mind-boggling numbers of er, numbers, unfortunately inertia (and upgrade cost) is against us on this one. It will get here eventually (I hope).