DDoS Detection Devices 107
Bistromat writes "The Boston Globe is reporting today that Arbor Networks is marketing a solution to the DDoS attacks that are in vogue with script kiddies today. Their solution is to place filters ("probes") at "peering points" (the points where major ISP's interconnect) to sample and fingerprint traffic so a major DDoS is readily detected and filtered out before the volume becomes unmanageable. " Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online. 31337 d00d!
/. ed (Score:1)
Irony.
Re:What? (Score:1)
"...are going to eventually be the reason and the justification..."
It doesn't matter what's *really* going on, all the government needs is an excuse.
t_t_b
--
I think not; therefore I ain't®
You are already being monitored (Score:1)
This isn't a case of authorities getting ready to monitor everything. They already do -- at least they do at my workplace. They track all flows going to and from your box, they can sniff your traffic, blah blah blah. All the more reason to use cryptographic tools when transmitting potentially sensitive information (unless you don't mind them reading that stuff)....If the 31337 script kiddies are the reason for this, mission accomplished.
Privacy? What's that? SIGH ....
Re:Limit, but not eliminate, DDoS (Score:1)
Re:31337 F3d d00dz (Score:1)
That said, what's really so bad about ALL CAPS POSTS or ASCII penis birds or first posters?
Re:31337 d00d (Score:1)
Re:31337 d00d (Score:1)
Getting DOSed right now (Score:1)
Its important to challenge authority (Score:1)
Common CmdrTaco, get a grip, do you really think that if nobody challenged authority then authority would be "nicer".
If authority does choose to cripple the net then they are no better than the "31337 d00d's" you look down on.
"Better to die on your feet than to live on your knees" - Midnight Oil
And no, im not "one of them"
Re:Limit, but not eliminate, DDoS (Score:1)
Oddly enough, this is one of the things that DMCA does. Except it can only be used against Linux and not windows because Linux is downloaded while windows has comes with a CD and thus has a shrink wrapped license.
And of course it ignores the fact that most security problems are due to careless administration not because of the vendor. Admins don't keep up to date with security patches. In the case of DDoS the maintainers are often regular PC owners who don't update their software. I know so many people that use old insecure version of netscape it's not even funny.
<offtopic>
This is why Microsoft should adopt
deb-src ftp://windows.netscape.com unstable
to their sources.list file and update their files once a week. This would make computers much more secure over all.
Or maybe Microsoft service packs already have a lot of the same functionality and I'm just not aware of it.
</offtopic>
The Slashdot affect by another name? (Score:1)
Flash crowds occur when a large number of users try to access the same server simultanesouly, overwhelming the available resources. In addition to the overload at the server itself, the traffic from such flash crowds can overload the network links and thereby interfere with other, unrelated users on the Internet. For example, degraded Internet performance was experienced during a Victoria's Secrets webcast and during the NASA Pathfinder mission.
So, how are the slashdot crowd any different than a bunch of script kiddies? (btw, for those with no sense of humor, that was supposed to be funny)
Going on means going far
Going far means returning
you can try the best you can (Score:1)
cat+mouse;cat+mouse; with each caught mouse the cat gets slower but the mice stay lean and quick and building smarter, faster mice.
they can't win.
also, this kind of monitoring can't invade your privacy if you're using strong encryption. take that, DMCA!
Re:I Still Don't Get It (Score:1)
Our approach is to detect attacks from various points in the network, correlate and trace them back to points closest to the source, and then take corrective measures there -- not downstream at the victim, which is indeed only an exercise in futility.
Perhaps the best analogy is to having stop lights at on-ramps to prevent highway congestion -- distributed detection at the edges, and filtering at the ingress points closest to the source.
Points of failure (Score:1)
Closing your mouth with a firehose at your face (Score:1)
Our approach is to detect attacks from various points in the network, correlate and trace them back to points closest to the source, and then take corrective measures there -- not downstream at the victim, which is indeed only an exercise in futility.
Perhaps the best analogy is to having stop lights at on-ramps to prevent highway congestion -- distributed detection at the edges, and filtering at the ingress points closest to the source.
Re:Internap? (Score:1)
Yes and no. I used to work for a company called Conxion [conxion.net] that specializes in managed hosting.
They get around the DDOS issue with a "brute force" solution: having more bandwidth than their peers. What this means is that their peers would be saturated before the DDOS even hit Conxion's network.
They solved the "peer down" problem by peering with multiple high-bandwidth providers.
The interesting thing to note here is that DDOS is essentially itself a brute force procedure. Protecting against it is trivial, if you have more brute force than the attacker.
Re:Why is this any different than IDS Systems (Score:1)
Big Brother Is Watching You (Score:1)
Now what is this about some kind of attacks? :-)
Re:This does not get past the fundamental problem. (Score:1)
Oh ya... BTW (Score:1)
Re:You are already being monitored (Score:1)
screw off. Whose computer do you think you're using. You workplace's. Don't dick around with your stupid flash movies of goatsx crap and you'll be fine.
---
Re:Why is this any different than IDS Systems (Score:1)
Basically those software aim at detecting someone breaking into a system. Usually with a DoS you just paralyze your target, but don't break into it. It's true though that DDoS attack usually are made using compromised boxes.
The problem here is that filtering packets on a much higher level allows for monitoring of all kind of trafic. There is a big difference between monitoring your computer for intrusion (IDS) and monitoring entire networks for malicious attacks (like what is proposed here).
Re:Why is this any different than IDS Systems (Score:1)
But still, I think what you are doing is localised to your network, but what is proposed here is to scan a much larger portion of internet. But still it's true that I can't see what is it that they could do that they can't already...
Its Hype, and its Stupid (Score:1)
Re:Isnt this overkill? (Score:1)
Re:What? (Score:1)
Well, a few important people care. The first of which being the companies themselves. The next day, the company reports an earning loss because of the downtime, which halted all incoming orders and pageviews (which gets them revenue from banners). Now this earnings loss could make the stock holders very upset, even if the stock only loses a point or two, when you have millions of shares in that company, you just lost millions of dollars so some pubescent kid in Bumblefuck, Utah could prove his 1337-ness.
Regardless of the stock price fluxuation, the story still gets on the news. Remember when ebay was taken down for a day or so? It was all over the news for the first few days after the fact, and then when they stopped running that story, they started to do those stupid "investigative reports" into how easy it is, and that "something should be done" to stop it. When Joe Sixpack sees how easy it is for someone to gain control of his Windows box, then Mr. Sixpack is going to then form the opinion that litigation is the way to solve the problem (although it may be suggested in the "report" a few times). This seems to be the biggest problem. The public can be swayed easily when they see how many holes there are in the systems they use every day.
Script-kiddes should also learn to run with scissors, point up and filed 'till its razor sharp, across a mine field.
--
This does not get past the fundamental problem. (Score:1)
Meanwhile, Someone goes to the SAR (Smurf Amplifier Registry www.powertech.no/smurf [powertech.no]) and chooses the top 10 stupid networks (conveniently located on the front page no less) and launches a huge distributed smurf attack on my isp. No worries though we just spent several million dollars on this equipment that will protect us right?
Wrong. None of the traffic reaches my internal network, BUT my connections to the internet are flooded with icmp echo replies. Yes they are being blocked but so much smurf traffic is coming through, my normal traffic can't get in or out either. Creating a
Now who's head is going to roll? The company that made the product or the guy that recommended we buy the product?
Their hearts are in the right place, but they aren't seeing the big picture. imo anyways.
Isnt this overkill? (Score:1)
all I can say is . . . (Score:1)
Hackers of the world unite, instead of installing DDOs proggies, set up seti@home on those boxes. \
Or imagine the google beowulf happyly running distributed.net
Yay!
Its also about time for this stuff, although I last heard that this was being incorporated into large switches / hubs.
Besides, ddos slows down my napster transfers
shouts to the world!
I have a shotgun, a shovel and 30 acres behind the barn.
Re:Limit, but not eliminate, DDoS (Score:1)
Forget about IP, do you understand anything about networking? First please define what it means to be behind a router, and then explain how a router knows what is behind it.
While in your case you may have a single router connecting you to the Internet through a single provider and one subnet for your whole LAN this is usually not the case in any large organization. A large network will usually have multiple connections to the Internet as well as private WAN connections with other networks and possibly Internet connections of their own. While a very dilligent designer working from the ground up with free reign to filter at any arbitrary point should be able to contain legal traffic to specific areas this is rarely feasable in the real world.
If you are a large ISP with multiple backbone connections it is even harder to do *any* sort of filtering because there is a wide range of legal traffic that can traverse your network.
PS If you are a smurf amplifier it is because of a miscofiguration on your side, not your ISP.
Re:Limit, but not eliminate, DDoS (Score:1)
No that isn't always true. First of all, the terms "inbound" and outbound" are completely arbitrary and have no meaning to the router. In your case you have one subnet on the Ethernet side of your router that you own; you refer to this as inside. The router, however has no way of "knowing" this. You certainly can put an access list incoming on your Ethernet interface to only allow traffic from a certain range, and this will prevent devices on your network from sending spoofed packets, but how could you implement this within the router's code. The router doesn't and shouldn't know of all the networks it gets packets from, it only has to know where to send to packets it receives. This becomes more significant the larger the network becomes.
If your router behaved in the way you are suggesting it would only allow "incoming" packets from the subnet directly connected to the WAN interface, because the router doesn't know about the millions of networks on the other side of your ISP's router. Even if you allowed traffic from the other side of that router there are millions of router on the other side of you ISP. Not all of these routers can exchange dynamic routing protocols, so at some point you MUST use default routes or drop all packets to or from non-connected networks. How is that in any way useful?
Re:Limit, but not eliminate, DDoS (Score:1)
I am not, nor was I ever a smurf amplifier, but that does not stop attempts to do so from saturating my link.
I'll give you the benefit of the doubt, but I'm not convinced you'd know if you were.
Justifying government (Score:1)
We're going to lose more freedom by either game, but the style of loss, the trade-offs differ, and we might consider which we prefer. Just keep in mind that if we ease the official paranoia about hacker terrorists, our government will tilt back towards the model of assured mutual destruction as its legitimating excuse.
Paraniod? (Score:1)
And they'll also... (Score:1)
It's comparable to Napster in a way. So many individuals think they're so clever to find means of dodging around the system without realizing that the harder they make it for Napster to filter their files, the more likely it'll be shut down when the final verdict is read.
Anyway, it's not so uncommon a situation. Aren't those who abuse their freedom most often those who force the restriction thereof, not only for them, but for everyone else? While part of me hopes that this system of DDoS tracking doesn't take off for the obvious privacy reasons, another part of me hopes that it will, so that script kiddies can be taught that society as a whole doesn't stand for such abuse of freedom.
detectors = "hey kiddiez, look at me!" (Score:1)
There are many services out there that claim to solve one problem, but in essence they are creating problems elsewhere. DDoS being the elsewhere.
Why this wont work (Score:1)
Re:31337 d00d (Score:1)
Re:Limit, but not eliminate, DDoS (Score:1)
As I stated, this filtering would happen at a very low level, where routing is rarely complicated, but at this point I see no point in trying to reason with you.
(end comment) */ }
Re:Limit, but not eliminate, DDoS (Score:1)
cisco675>sh route
[TARGET] [MASK] [GATEWAY] [M] [TYPE] [IF] [AGE]
0.0.0.0 0.0.0.0 0.0.0.0 1 SA WAN0-0 0
12.34.56.0 255.255.255.0 0.0.0.0 1 LA ETH0 0
1.2.3.0 255.255.255.0 0.0.0.0 1 A WAN0-0 0
1.2.3.4 255.255.255.255 0.0.0.0 1 AH WAN0-0 0
I think it's pretty clear that the router understands which IP's are on the LAN, and which ones aren't. The type of prevention I am talking about would happen at the first hop, which IME is rarely complicated. As usual, problems are better resolved within the home.
I am not, nor was I ever a smurf amplifier, but that does not stop attempts to do so from saturating my link.
(end comment) */ }
go all the way! (Score:1)
there's my 1/2 cent
Why is this any different than IDS Systems (Score:1)
Re:Why is this any different than IDS Systems (Score:1)
Shit like this (Score:1)
How much fun can rendering a service inoperable be? I mean would these kiddies like it if you did it to them? OR would they be all pissy?
~AdmrlNxn
Whistler is to Zeus as Linux is to Hercules
Re:31337 d00d (Score:1)
Valium is good... some of the antipsychotics/antischiztophrenics may work better as they work by slowing brain activity.
Re:Is it script kiddies?NOT (Score:1)
Re:Shit like this (Score:1)
Sounds like carnivore, (Score:1)
Re:Internap? (Score:1)
Actually, it's kinda funny that he should use the phrase "faster than a DDoS attacker chan shift gears." The whole point about it being a DDoS is that it's not just one guy, it's a guy with an army of machines working at computer and network speed to flood your connection. As long as the target address doesn't change, it keeps firing packets that way.
Don't ever trust a salesperson for technical info...
It's a catch 22 (Score:1)
What is the difference (Score:1)
Re:Limit, but not eliminate, DDoS (Score:1)
Re:Isnt this overkill? (Score:1)
If that didn't make any sense, I mean: If every ISP would configure their routers to block outgoing packets that didn't originate from their IP block, and block all packets that are going to non-routable IPs. Wouldn't this solve most of the problems?
ps. Ignore all the spelling mistakes, please.
Re:Justifying government (Score:1)
So the more ddos atttacks there are the more peaceful it will be. I suppose it works. The internet sure would be quiet.
Re:31337 d00d (Score:1)
try doping the water with ritalin...
Re:If everyone filters their outgoing pipes... (Score:1)
First, rdl said, "The reason most ISPs don't filter their outgoing traffic is that most cisco routers will end up with 100% cpu utilization to do basic filtering on any decent sized pipe."
Then, he followed up with, "Juniper, among others, make routers which can do filtering on the interface cards themselves..."
Does anyone else see the inherent conflict in those two statements? Gee, let's take the low-end Cisco products, which use interface cards about as sophisticated as the NIC in your PC, and compare them with Juniper's top-of-the-line products.
Cisco products like the 7500 and the 12000 also do filtering (based on ACLs) directly on the line cards. A friend who does testing on the GSR line says that they can indeed maintain linerate on an OC192, and without getting packets out of sequence like the Juniper machines do.
Let's compare apples and apples here.
Re:Not very useful (Score:2)
The following contains pointers to some of the current work being done to help combat and detect the current forms of DDOS as seen today. In an open and non "patent-pending" manner, too. :)
http://www.aciri.org/pushback/ [aciri.org]
-----------------------------------------------
Re:OC-48 ACL possible (Score:2)
Yes, equipment like Juniper is capable of doing linerate filtering and packet inspection ( headers though, not payload! ). Juniper equipment *is* deployed by major networks, but it's not everywhere. Cisco, which is still a very large portion of the routing equipment deployed, has *ahem* issues at linerate filtering.
Attempting to deal with DDOS through ACL's is at best a very temporary patch more akin to the little dutch boy trying to stick his fingers in the leaking dyke. There needs to be support for ICMP traceback ( to allow you to quickly determine the source of an attack ) so that perpetrators can be tracked and prosecuted. There needs to be support for 'pushback' which recursively moves the filtering upstream until it reaches the source. Until this is done, ACLs or not, there is no easy way to combat DDOS.
Pretty scary, ain't it?
- ------------
-----------------------------------------------
This'll work good: (Score:2)
Fine. One *more* link in the chain.
Let's hope that Arbor's isn't a weak link:
Crack that, and do your blocking right from within the detection system.
What was that?
"Any code written by man, can be broken by man."
Let's hope Arbor is armoring their stuff real well...
t_t_b
--
I think not; therefore I ain't®
Re:Limit, but not eliminate, DDoS (Score:2)
This is all assuming your net follows basic best practice and thus the most effective DoS/DDoS is to do resource-consumption, not to send 50 multicast packets to your cisco's management interface or something like that...
I think the problem should be split into parts:
1) Pre-emptive moves to eliminate DoS/DDoS in general -- kill fucking smurf amplifiers dead, eliminate spoofing especially on smaller, less-actively-monitored, static networks, etc.
2) Increased safety margin for applications -- use technologies such as distributed dynamic cache, load-balanced servers, oversized links and oversized servers, etc., to deal with both malicious attacks and normal surge load. This
gives you a LOT more leisure time in dealing with big attacks, and makes smaller attacks less of a problem.
3) Intelligence, either from specialized anti-DDoS tools like arbor, or from general network administration tools, a 24x7 NOC, mrtg/rrd, talking with other AS admins on irc, etc.
4) Simple response tools -- having OOB management on routers (you wouldn't believe how many people don't, and if you're being DoS'd, you can't connect over the net under attack), a knowledge of what pieces depend on what, etc. Being able to down interfaces, apply filters, etc. quickly is important. At the present time, I don't think anyone could develop a tool which does this 100% automated, but certainly tools can amplify the power of a small number of good network administrators.
5) Research -- learn from the attacks, improve. I think this is where tools could be quite valuable, by gathering statistics on attacks and presenting them to people when under attack.
If I were trying to build a network resistant to DDoS/DoS, my number one priority would be pushing the safety margin up as high as possible, oversizing links and building border routers capable of taking and filtering most attacks when directed to do so; only after that is in place is it worth worrying about better ways to detect, analyze, etc. attacks. It's pretty obvious that you're being hit and what's going on once it actually happens
Re:Limit, but not eliminate, DDoS (Score:2)
What would your "real fix" do to Linux? It would legislate the old argument of "who can we sue if something goes wrong?" and make it illegal to create or distribute an operating system without someone to blame.
Another illustration of overzealous anti Microsoft fervor setting up a backlash on us. Don't take RIAA's stance - the UCITA is beginning to backfire on them. Just be calm, cool and reasonable. We have absolutely nothing to worry about, and here's why.
We live in a free-market economy - all of Microsofts billions (trillions?) can't compete with a bunch of volunteers giving stuff away. It will stabilize into the hardcore hackers doing what they enjoy (kernel / systems level stuff) and Microsoft and Apple will eventually wind up selling to their real market: non-computer experts. (Well, actually, Apple already does).
So Linux *is* a good thing, and may dominate the world. Microsoft's rise to the top drove the price of hardware down and amount of expertise (learning curve) wound up being less (shorter).
Now Linux will drive the price of software down and force Microsoft to make computers truly easy to use. Computer experts won't need anything from Microsoft or Apple, but my grandma always will.
Pre-Linux Microsoft User Manual: To accomplish your task, insert the cd, click ok, type your name and organization, click next five times, Slect this, select that, click next, enter your CD Key, click next ten more times, then click ok to reboot.
Post-Linux Microsoft User Manual: Get your computer's attention by saying it's name. Say "Download and Install winzip voice plus".
Um, is this really surprising Rob? (Score:2)
This is a common theme throughout society. It is the gun enthusiasts who are the reason that the authorities use for demanding more gun control. It is the anti-abortion protestors that the authorities used to push through the FACE act. It is the people who demand campaign finance reform the loudest who break the existing laws most flagrantly. It was the ACLU, for defending people on first amendment grounds, that caused someone in congress to propose an anti "flag burning amendment" to the US constitution.
Do something in public that is unpopular with the right people, regardless of legality, and you will soon find that activity restricted.
LK
Re:What? (Score:2)
A week doesn't go by that some well connected 3l33t 5h1th3ad doesn't decide to send 100Mbps of crap at some residence hall computer and soak up all of our bandwidth. Why? Who knows. Maybe they're trying to take over some lame IRC channel. Maybe they are tired of getting fragged in Q3. I don't know, and I don't care. The reality is that we have to deal with the problem. When it happens, in some cases for us it takes literally 10's of thousands of students off of the network.
As much as I think the Internet should be open to all, without strict filters checking every packet you source, that reality is going to quickly go away because of this type of behavior. Real crackers and criminals have little to no impact on the operation of the network. However, the DoS kiddies do have a real impact on our ability to keep the network running smoothly and reliably. The problem has to be dealt with, and the solutions are not pretty. Imagine strict filters which control how much traffic you can send and how many outbound connections you can initiate. Imagine those filters applied to every dorm connection, @home connection, and DSL connection. Imagine having to pay big bucks if you want a "server" class connection. These restrictions and more are coming to a broadband connection near you unless the 'l33t shitheads get the message and start behaving like adults. It won't take a law to make it happen. The network engineers aren't going to have any choice if the problem keeps growing.
Re:31337 F3d d00dz (Score:2)
Remember, the primary purpose of any living thing is to survive, and governments / corporations / buracracies(sp?) are living things. At least in that sense.
Caution: Now approaching the (technological) singularity.
I Still Don't Get It (Score:2)
But isn't the point of a DDoS to flood the ISP connection? So isn't this just a quick way to acknowledge that you are screwed - because even though you are dropping packets like crazy, they keep coming in and you waste bandwith just to drop them. I am curious if this isn't going to have a fairly minimal impact, because the problem isn't the content of the packets, but the fact that they are coming.
Won't this just move the chokepoint higher up the ladder, making the bottleneck be the DDoS detectors ability to handle/drop those packets instead of your servers? So now your servers are up, but no one can get to them anyway.
Maybe someone who understands this better can explain.
What if the script-kiddies have free time? (Score:2)
So what do these "statistical algorithms" say about large articles on major websites (say the frontpage article of the New York Times, a press release by IBM, etc.), or sites where traffic builds quickly due to word of mouth (sort of like a slashdotting)?
My point is simple: What if script kiddies just take their time? Don't start with a DDoS attack, slowly start pinging servers, or whatever it is that they do, and build up, over time, to a heavy DDoS attack. How would these "statistical algorithms" differentiate this from a bonafide [sic] interest in the site?
---
OC-48 ACL possible (Score:2)
Some of the new Network Processors are absolutely astounding in terms of what they can accomplish. Take for example the Agere [agere.com] network processor. It has no problems doing ACL at OC-48. Or the Sibyte [sibyte.com] network processor, with dual 1GHz MIPS cores running Linux, which should be more than fast enough to handle OC-12.
data longetivity (Score:2)
-------
CAIMLAS
Re:Why is this any different than IDS Systems (Score:2)
The overwhelming majority of network intrusion detection solutions cannot make these claims. They are misuse-detectors --- IDS parlance for systems that do deep analysis of traffic looking for known signatures of misuse. The techniques for detecting these signatures are in fact more intrusive than those for detecting keywords in mail messages. Some IDS tools go so far as to ADVERTISE their utility for monitoring employees and copying email.
The fact that misuse-detectors don't even work (against savvy attackers) doesn't improve the situation (Tim Newsham and I wrote a well-known paper on this, you can find it at Vern Paxson's mirror [aciri.org]). The only interesting work in intrusion detection and response is being done at the backbone level, in macro-analysis, using statistical profiling and anomaly detection.
Arbor Networks appears to be leading the pack on the analysis end. There are other interesting companies in this space too --- Asta Networks (tech lead by the inimitable Stefan Savage) appears to be doing direct traceback, and Mazu Networks (the Click Router group from PDOS@MIT, more insanely smart people) appear to be doing edge-based detection and filtering.
Traceback, backbone traffic analysis, and edge-based IP-level traffic/misuse detection are going to be the deployed solution for this problem. Get used to it. Network admins have had many of these capabilities for ages --- these startups are just focussing and optimizing them. You should be more afraid of ISPs deploying RealSecure or NetRanger (privacy-violating point-product misuse systems) than about them guarding their networks with traffic analysis information they could get from their routers already.
PS: Note to Linux geeks --- many of these companies, particularly Mazu, are doing large-scale in-kernel traffic monitoring. They are publishing their code (and some of it, like the Click router, is amazing) and making a HUGE PR contribution to the usefulness of the operating system.
Q. Does IPV6 help agaisnt spoofing packets? (Score:2)
Why can't every computer connected to the internet, throttle packets? That way there is no single "choke point". I mean every minute, or 5 minutes do a "throttle check", if too many packets are trying to reach a destination point, then they just get auto-dropped. (It would be nice to check if the "source" is sending too many packets, but source headers can be forged.)
Doesn't IPV6 require a valid source location?
Is there any way to design a protocol to prevent DoS attacks?
Sorry for the newbie questions, but I'm a graphics guy, not a networking one
Re:What? (Score:2)
Why do you think the "Russian mafia crackers" tried to extort money from the companies the stole the information from? Why didn't they just go buy a bunch of stuff and sell it? That would be really hard to do, you can't go into a retail store and buy something with a card number. You'd have to order a bunch of stuff from web sites or over the phone and have it shipped somewhere. How the hell are you going to make a bunch of money from that? Seems to me like it would be a major PITA, not to mention dangerous.
Your other example of the Taleban trashing a home loans database is almost laughable. First, just what the hell is Fannie Mae doing with a database containing information like this that is accessable from an outside connection. This should never happen. If this were ever to actually happen common sense woudl dictate that the database server should be wiped, restored from backup and secured (as in not connecting it to the internet in any way). Another PITA but hardly a disaster.
The evil master hacker stealing millions of dollars in just a few minutes is a myth. Try watching less of The lone Gunmen.
Re:What? (Score:2)
What? (Score:2)
Script-kiddies? The last time I looked the government was blaming software pirates, drug-dealers, and terrorists. Script kiddies will never be a huge reason for monitoring, because script kiddes can never do anything beyond hack servers sitting on the internet with their crappy scripts.
A DDoS by a team of script kiddies means nothing in the long run. Who cares if Yahoo! or ebay go down because a few idiots manage to get in? The real danger is the big hackers. The Russian mafia crackers who hold credit card databases hostage is just a beginning. Imagine if the Taleban found a group of good crackers in Afghanistan and sent them after a Fannie Mae's mortgage database, screwing up millions of American home loans?
Script kiddies DDoSing the last of the dotcoms is no matter. There are things people could do online to do far more damage. The probable recipients of said damages know this, and they are preparing.
Never mind the analysis (Score:2)
I can guarantee that you will never be able to put together an automated solution with such adaptability, reaction time & pattern recognition abilities. And society will have finally figured out how those video gamers can contribute something useful.
Point-blank IP spoof filtering (Score:2)
Having the "big" routers do this filtering would cause a huge performance hit; however this might be acceptable in the long run. Everyone would bitch and moan to start, but then we'd get used to it (and Cisco and others would find ways to improve throughput without sacrificing IP filtering.
What about having local routers do it? If you're (say) AOL, you certainly have thousands of small clusters routing to your central big-ass router cluster. Why not have the routers on the ends all do the work? Have we learned nothing from distributed computing, especially something so tailored to it?
I know there are economic concerns (we have to get ISPs to modify thousands of routers), but... come on, there's got to be a better solution than adding Big Brother into the mix.
<RANT>
Seriously, who are the deranged fucks who get presented with ideas like, "Hey, let's add Big Brother-like sniffing to all sorts of nodes on the Internet, bringing the potential for huge abuses!" and go, "Hot damn! THAT will make the world a better place for everyone!"??!?
</RANT>
Change your approach to the problem (Score:2)
This is such a common attitude: that bad people like script kiddies are fucking us over. "If only they'd stop!" Um, telling them to stop isn't going to make a difference. Let's look at the problem from another approach: secure in the knowledge that script kiddies exist in large numbers wherever teenagers and miscreants have computers, let's try and protect ourselves from them. If this product does something to ameliorate it without invading our privacy, awesome! If it does something to ameliorate the problem while invading our privacy, well, you should be using encryption anyway, because the only thing that's more certain than miscreants causing trouble is g-men and other authorities cracking down on everyone's rights to get their way.
You can't pretend either problem will go away if we just understood it a little better, if we only made the poor script kiddies feel more loved or held our protest signs a little higher for the g-men to see. Accept these things as constants, and work with the solutions that are offered.
--
Re:Isnt this overkill? (Score:2)
Internap? (Score:2)
What he said they do is, rather than lease their lines from one backbone provider like Sprint or Genuity/BBN, they lease from 12 major providers. His claim was to be able to shut a customer who was being attacked off from one backbone and re-route all traffic to and through another faster than a DDoS attacker could shift gears.
Anyone have any experience with this company? Was this cat just blowing his own horn?
What the fsck?! (Score:2)
Who cares where it was developed?! People generally shop for a new car, for example, because it's reliable, has a high resale value, and fits their budget -- NOT because it's a certain colour and their uncle is/was on the design team...
This technology may or may not be the best thing since sliced bread, but it seems Merit needs some priority straightening.
--
ISP (Score:2)
What if ISPs could also limit the amount of traffic directed at their specific customers depending on the customer wishes and proportional to the customer bandwidth?
Here is a scheme: ISP A detects heavy repetative traffic comming from ISP B, ISP C and ISP D. ISP A asks ISPs B, C and D to eliminate or lower amounts of traffic from certain addresses to certain addresses. ISP B received the traffic from ISP E and F, and so it propagates the request to these ISPs (ISPs C and D do the same.) The requests to limit amounts of traffic go down the tree to the ISP nodes that provide the attackers with bandwidth and filter and limit the requests right at the attacks' Internet entry points.
Re:Not very useful (Score:2)
DOS detection service. (Score:2)
--
Re:Why is this any different than IDS Systems (Score:2)
Is it script kiddies? (Score:2)
What you need to do, however, is employ a fun little technique called "Follow the Money." In the case of DDoS attacks, what you'd do is figure out who has the most to gain from this fear.
Sure there are a few of these attacks that can be attributed to the I-wonder-if-I-can-do-this factor, but now it's in the hands of the people who can really use it (and not get caught.)
Is it irony that DDoS attacks are increasing the government's power over the Internet, or do both cause and effect share the same owner?
(How's that for /.-induced paranoia?) :)
Re:Limit, but not eliminate, DDoS (Score:2)
Detection Systems at NAPs (Score:2)
What about slight modifications to DDoS attacks, whether it be in the signature, data encapsulation or size? How will the detection system know, and how could it detect it versus a large FTP transfer? What if I sent my DDoS to port 21 and made it look like simple FTP requests? Would it then throw up a quick packet filter for all FTP packets? Or it would it automagically recognize all 39 DDoS slaves?
I gotta wonder about some of this stuff .. whether they are marketing a bandaid for a gunshot wound.
-Pat
Re:Limit, but not eliminate, DDoS (Score:2)
Now if this software was a Microsoft solution, how many people would spook out at it totally? Or imagine the magnitude of behind the scenes conspiracy?
Be careful what you ask for. You might get it.
Re:Not very useful (Score:2)
And this would help with the DoS packets with a faked source IP how? I mean, if a skiddy DoS's Guns-R-Us.com with a source address faked as AOL, couldn't this be just as effective to deny service to AOL customers wanting to visit Guns-R-Us as the original attack itself?
And gee, if the DoSer knows how to tell the source to limit traffic, why bother actually generating traceable traffic in the first place - not to mention that the crude attacks are all _D_DoS - The packets don't have a single source. Now if all ISPs made sure that spoofed packets couldn't leave or transit their networks, that would probably have more effect.
Liquor
Re:Limit, but not eliminate, DDoS (Score:2)
A router already understands what IP addresses are behind it. *By default*, why should it route traffic from IP's that don't exist on the LAN to the WAN? I am not a TCP/IP expert, but it seems to me that there are no legitimate applications for bounced packets.
(end comment) */ }
Mean people suck! (Score:2)
Nothing new there. I have locks on my doors, a bicycle in my living room and removable-face car stereo because of selfish, malicious idiots.
How many of the headaches that the rest of us have to live with come as a result of the antics of a bunch of jerks and lowlives? That's why I don't understand the inclination to glamorize or defend crackers as "black/white/whatever-hats" or "hacktivists" or to insist that their activities are harmless, if not beneficial.
Unsettling MOTD at my ISP.
31337 F3d d00dz (Score:2)
Not so interesting, as typical. Because someone may threaten someone with email, email is bugged. Because someone may threaten to blow up Hope College, FBI has Carnivore. It's always been the troublemakers, whether with a socio-political cause or for selfish entertainment that freedoms are leeched.
One needs look no further than the /. lameness filter to see how others have to tow the line because of trolls.
--
Re:Limit, but not eliminate, DDoS (Score:2)
And where would that leave linux, *bsd, etc? Should Alan or Linus be sued for tcp bugs?
Re:Limit, but not eliminate, DDoS (Score:2)
Not necessarily. Let's say you sent a link to 100,000 of your closest friends. 1% check the link each minute for the next 100 minutes. That's 1000 hits/minute for 1 hour and 40 minutes duration. Not much for Yahoo, but a TON for dinky little me on a DSL line.
Also consider that the S in DoS is "service"--it doesn't have to eat up your bandwidth, it could eat something else. For instance, 10,000 fake orders would eat up service personnel time and don't have to be submitted simultaneously. 65,635 orders can also be placed at any time to overflow an INT in a poorly designed database.
--
If everyone filters their outgoing pipes... (Score:3)
If someone can spoof packets to make them appear they don't come from a single AS, you have a much harder time.
The reason most ISPs don't filter their outgoing traffic is that most cisco routers will end up with 100% cpu utilization to do basic filtering on any decent sized pipe. No one is going to drop in a USD 100k GSR/12000 just to filter linerate on a 100baseTX.
Juniper, among others, make routers which can do filtering on the interface cards themselves, so doing linerate filtering on 32 gig-e interfaces is actually possible. However, I think like 95% of the core routers on the net are still cisco, even though Juniper's sales figures are rapidly increasing, so it will be some time before this is fixed.
Re:Limit, but not eliminate, DDoS (Score:3)
I've made this point before. There are two parts to the problem. First, fix all the holes that allow substantial server resource consumption from packets with forged source addresses. Second, improve host and network behavior under overload.
The real fix, of course, is to find operating systems vendors liable for selling systems which allow attackers to use OS vulnerabilities to take over a system and use it to attack a third party. Note that disclamers in EULAs don't matter in such cases, because the victim isn't the customer of the OS maker, but an unrelated third party. Someone needs to sue Microsoft for gross negligence over this, for selling mass-market operating systems with vulnerabilities years after the problem was identified.
31337 d00d (Score:3)
What makes you think they don't? (Score:3)
Ever hear of Echelon [echelonwatch.org]?
Not very useful (Score:4)
First of all, all of the major network do not exchange traffic directly over the exchange points, but rather through dedicated peering circuits.
Second of all:
How do they differentiate a DDOS attack or a site being slashdotted ( or does that qualify as a DDOS? :P )
And finally:
So all it does is spit out a sample configuration that has to be actively applied to the routers in question? Even if you place an ACL on the receiving side ( pretending that linerate OC-12 car/acl's is truly feasible ) you have done nothing to mitigate any of the affects on the peers network and the potentially full peering link between the two networks.
This assumes that the DDOS is going to be hitting the servers as well. In fact, several recent DDOS attacks have been not at servers ( since it is no longer usually a single server but many ) but at the infrastructure leading up to those servers.
I wish Arbor well in peddling their proprietary "patent-pending" technology, but don't expect to see this running on any major networks anytime soon.
- ------------
-----------------------------------------------
Gotta love the script kiddies. (Score:4)
Of course, the big difference is, in real life, this kid wouldn't EVER try that again, nor would any other kids who ever heard about it.
It only takes one.
-Restil
Limit, but not eliminate, DDoS (Score:5)
You can limit DDoS attempts, and probably eliminate all the threats out there today, but a truly crafty attacker would make a DDoS which simply appears as extra traffic. Slashdot people have a lot of experience with this -- what's the difference between a slashdotting and a worm with "download this page" as the payload, widely distributed?
Another problem with a single, centralized company providing DDoS monitoring, notification, and realtime blackholing is that of course that company becomes a central point of attack. If you can simulate a DDoS attempt from company A to company B, you don't need to actually accomplish the DDoS, which may also shield you from legal liability and violation of AUPs.
"In the age old battle of arms vs. armor, arms always triumph". I'm not saying arbor networks is not a valuable service, but I think it will be very difficult to provide any sort of lasting edge vs. a determined packet kiddie. ud.com among
others are already using distributed load-testing, so it's easy to see how powerful a worm/virus with DDoS payload would be. I believe the Zapatista in Mexico did this as a form of protest/attack, and it was successful, in 1998 or 1999.