Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Technology

DDoS Detection Devices 107

Posted by CmdrTaco from the stuff-to-think-about dept.
Bistromat writes "The Boston Globe is reporting today that Arbor Networks is marketing a solution to the DDoS attacks that are in vogue with script kiddies today. Their solution is to place filters ("probes") at "peering points" (the points where major ISP's interconnect) to sample and fingerprint traffic so a major DDoS is readily detected and filtered out before the volume becomes unmanageable. " Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online. 31337 d00d!
This discussion has been archived. No new comments can be posted.

DDoS Detection Devices More

DDoS Detection Devices

Comments Filter:

  • /. ed (Score:1)

    by Anonymous Coward
    I'm waiting for when the arbornetworks page is slashdotted.

    Irony.
  • You missed this:

    "...are going to eventually be the reason and the justification..."

    It doesn't matter what's *really* going on, all the government needs is an excuse.

    t_t_b
    --
    I think not; therefore I ain't®

  • This isn't a case of authorities getting ready to monitor everything. They already do -- at least they do at my workplace. They track all flows going to and from your box, they can sniff your traffic, blah blah blah. All the more reason to use cryptographic tools when transmitting potentially sensitive information (unless you don't mind them reading that stuff)....If the 31337 script kiddies are the reason for this, mission accomplished.

    Privacy? What's that? SIGH ....

  • Of course it's mainly the UNIX and Linux machines that are used in the serious DDoSes. Sure, there's the occasional Outlook worm, but the major damage is caused by the machines running OSes with superior network integration. Now, these machines also are generally running lots of programs from vendors other than the OS author / publisher (like that piece of trash BIND), but MS could also make a similar arguement.
  • The lameness filter was put in place to counter crapflooders, not trolls.

    That said, what's really so bad about ALL CAPS POSTS or ASCII penis birds or first posters?
  • Well, the Jolt has to be bottled somewhere and you can't have sodie-pop without water.. On second thought, I think Valium was a bad choice. They need a big oral dose of lopressor, lower they're blood pressure so but they'll be on the floor..
  • The solution to the "script kiddies" problem is, of course, strong sedatives in the city resivoir. 10mg Valium/8oz water.. there will be no problems.. ever.. of any kind
  • My company is experiancing a DOS right now, bet my network admin wishes he had this technology already.
  • "Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online. 31337 d00d!"

    Common CmdrTaco, get a grip, do you really think that if nobody challenged authority then authority would be "nicer".

    If authority does choose to cripple the net then they are no better than the "31337 d00d's" you look down on.

    "Better to die on your feet than to live on your knees" - Midnight Oil

    And no, im not "one of them"
  • >>The real fix, of course, is to find operating systems vendors liable for selling systems which allow attackers to use OS vulnerabilities to take over a system and use it to attack a third party.

    Oddly enough, this is one of the things that DMCA does. Except it can only be used against Linux and not windows because Linux is downloaded while windows has comes with a CD and thus has a shrink wrapped license.

    And of course it ignores the fact that most security problems are due to careless administration not because of the vendor. Admins don't keep up to date with security patches. In the case of DDoS the maintainers are often regular PC owners who don't update their software. I know so many people that use old insecure version of netscape it's not even funny.

    &ltofftopic&gt
    This is why Microsoft should adopt .deb Windows update is good to an extent but it doesn't cover non-Microsoft software. With .deb Windows user could just add
    deb-src ftp://windows.netscape.com unstable
    to their sources.list file and update their files once a week. This would make computers much more secure over all.

    Or maybe Microsoft service packs already have a lot of the same functionality and I'm just not aware of it.
    &lt/offtopic&gt
  • in this [att.com] interesting paper, they define an interesting thing, sounds a lot like the slashdot affect:
    Flash crowds occur when a large number of users try to access the same server simultanesouly, overwhelming the available resources. In addition to the overload at the server itself, the traffic from such flash crowds can overload the network links and thereby interfere with other, unrelated users on the Internet. For example, degraded Internet performance was experienced during a Victoria's Secrets webcast and during the NASA Pathfinder mission.

    So, how are the slashdot crowd any different than a bunch of script kiddies? (btw, for those with no sense of humor, that was supposed to be funny)

    Going on means going far
    Going far means returning
  • but it's a neverending battle. the truly 'leet will come up with another way of harrassing anyone with a device listening to IP, which will be picked up by the kiddies and exploited until the security people come up with fixes

    cat+mouse;cat+mouse; with each caught mouse the cat gets slower but the mice stay lean and quick and building smarter, faster mice.

    they can't win.

    also, this kind of monitoring can't invade your privacy if you're using strong encryption. take that, DMCA!

  • Any solution to a widely distributed denial-of-service attack also needs to be distributed across the network. Almost any device at the edge of the network can tell you when it's being flooded, but traceback and remediation requires upstream cooperation.

    Our approach is to detect attacks from various points in the network, correlate and trace them back to points closest to the source, and then take corrective measures there -- not downstream at the victim, which is indeed only an exercise in futility.

    Perhaps the best analogy is to having stop lights at on-ramps to prevent highway congestion -- distributed detection at the edges, and filtering at the ingress points closest to the source.

  • To answer two concerns regarding the abuse of our system for denial-of-service itself, either as single points of failure, or as potential zombies:

    1. As a non-intrusive passive monitoring solution (ie. not a bump-in-the-wire) that leverages the existing network infrastructure for the gathering of coarse-grained network statistics, there isn't much to attack, either directly or indirectly. Additionally, most networks tend to be overprovisioned at the core (largely where our monitoring is targeted), such that DDoS attacks typically don't have effect on the infrastructure itself until much further downstream.

    2. In terms of our base platform, we're running a custom, embedded version of OpenBSD on read-only media (several of us are OpenBSD developers as well). We have taken great pains to audit and protect our system both from direct and indirect attack (e.g. against the detection mechanisms), leveraging years of experience in building, exploiting, and fixing network intrusion detection systems, firewalls, and various network protocols in our own design and implementation.
  • Any solution to a widely distributed denial-of-service attack also needs to be distributed across the network. Almost any device at the edge of the network can tell you when it's being flooded, but traceback and remediation requires upstream cooperation.

    Our approach is to detect attacks from various points in the network, correlate and trace them back to points closest to the source, and then take corrective measures there -- not downstream at the victim, which is indeed only an exercise in futility.

    Perhaps the best analogy is to having stop lights at on-ramps to prevent highway congestion -- distributed detection at the edges, and filtering at the ingress points closest to the source.

  • Yes and no. I used to work for a company called Conxion [conxion.net] that specializes in managed hosting.

    They get around the DDOS issue with a "brute force" solution: having more bandwidth than their peers. What this means is that their peers would be saturated before the DDOS even hit Conxion's network.

    They solved the "peer down" problem by peering with multiple high-bandwidth providers.

    The interesting thing to note here is that DDOS is essentially itself a brute force procedure. Protecting against it is trivial, if you have more brute force than the attacker.

  • This is stupid. It allows a new kind of DoS attack - simply replicate real packets. What kind of signature can you get out of that? How do you know which are original/good packets?
  • I live my life under the impression that they're watching anyway. Online, offline, whatever. It makes no difference. What makes anyone think that the NSA or CIA doesn't have everything on tape anyway? I'm not a conspiracy theorist or anything, because I don't see any reason for what I am speaking of to be labeled as a conspiracy, but we're being watched.

    Now what is this about some kind of attacks? :-)

  • Exactly, right on the money... something has to do the work of dropping that traffic, whether its at the peer, a firewall close to the target, or whatever.
  • mod this up
  • They already do -- at least they do at my workplace. They track all flows going to and from your box, they can sniff your traffic, blah blah blah. All the more reason to use cryptographic tools when transmitting potentially sensitive information

    screw off. Whose computer do you think you're using. You workplace's. Don't dick around with your stupid flash movies of goatsx crap and you'll be fine.
    ---
  • DoS attack have nothing to do with an intrusion detection system.

    Basically those software aim at detecting someone breaking into a system. Usually with a DoS you just paralyze your target, but don't break into it. It's true though that DDoS attack usually are made using compromised boxes.

    The problem here is that filtering packets on a much higher level allows for monitoring of all kind of trafic. There is a big difference between monitoring your computer for intrusion (IDS) and monitoring entire networks for malicious attacks (like what is proposed here).

  • Oops, agreed I misread your post a bit.

    But still, I think what you are doing is localised to your network, but what is proposed here is to scan a much larger portion of internet. But still it's true that I can't see what is it that they could do that they can't already...

  • Sony already knows that it blew it with its PS2. The thing is too difficult to develop for. However, they are not doing them selves a favor by hyping the PS2. What they should be doing is cranking out some decent developer libraries for the machine. But that wont happen. Not only has Sony made the machine hard to develop for, now they are afraid that the XBox is going to kill their system anyway. And to think that Microsofts initial fear was that they were afraid Sony would turn the PS2 into an all in one internet appliance, DVD player and game machine. It makes me laugh. END COMMUNICATION
  • Because the fine folks at Arbor Networks can't make any money doing that. I mean come on if you don't have to pay through the nose for it it must not work right?
    :)
  • Who cares if Yahoo! or ebay go down because a few idiots manage to get in?

    Well, a few important people care. The first of which being the companies themselves. The next day, the company reports an earning loss because of the downtime, which halted all incoming orders and pageviews (which gets them revenue from banners). Now this earnings loss could make the stock holders very upset, even if the stock only loses a point or two, when you have millions of shares in that company, you just lost millions of dollars so some pubescent kid in Bumblefuck, Utah could prove his 1337-ness.

    Regardless of the stock price fluxuation, the story still gets on the news. Remember when ebay was taken down for a day or so? It was all over the news for the first few days after the fact, and then when they stopped running that story, they started to do those stupid "investigative reports" into how easy it is, and that "something should be done" to stop it. When Joe Sixpack sees how easy it is for someone to gain control of his Windows box, then Mr. Sixpack is going to then form the opinion that litigation is the way to solve the problem (although it may be suggested in the "report" a few times). This seems to be the biggest problem. The public can be swayed easily when they see how many holes there are in the systems they use every day.

    Script-kiddes should also learn to run with scissors, point up and filed 'till its razor sharp, across a mine field.

    --
  • For fun lets say this package works great. I tell my isp to go and get several dozen of these devices. We need coverage for all of our multiple transit and peering points (so we need to support FastE, T1, OC3 ATM&POS, OC12 ATM&POS, OC48 ATM&POS, and GigE cards (Cisco, Juniper, and Extreme Networks edition). All those different types of interfaces and the speed of which they operate makes this a expensive venture, but I have no problem convincing the big cheese that its worth his money; because this will prevent ddos attacks. So we go ahead and spend several million dollars obtaining/training/installing these devices and everything is tickity boo.

    Meanwhile, Someone goes to the SAR (Smurf Amplifier Registry www.powertech.no/smurf [powertech.no]) and chooses the top 10 stupid networks (conveniently located on the front page no less) and launches a huge distributed smurf attack on my isp. No worries though we just spent several million dollars on this equipment that will protect us right?

    Wrong. None of the traffic reaches my internal network, BUT my connections to the internet are flooded with icmp echo replies. Yes they are being blocked but so much smurf traffic is coming through, my normal traffic can't get in or out either. Creating a ... distributed denial of service attack, the very thing I just convinced the big cheese to spend several million dollars on so that we would be safe from it.

    Now who's head is going to roll? The company that made the product or the guy that recommended we buy the product?

    Their hearts are in the right place, but they aren't seeing the big picture. imo anyways.

  • Why not let the ISP's themselves handle the filtering with kernel based firewalling? Or am I missing something here?
  • That this wouldn't happen if people secured their boxes.
    Hackers of the world unite, instead of installing DDOs proggies, set up seti@home on those boxes. \
    Or imagine the google beowulf happyly running distributed.net
    Yay!
    Its also about time for this stuff, although I last heard that this was being incorporated into large switches / hubs.

    Besides, ddos slows down my napster transfers :)

    shouts to the world!

    I have a shotgun, a shovel and 30 acres behind the barn.

  • A router already understands what IP addresses are behind it. *By default*, why should it route traffic from IP's that don't exist on the LAN to the WAN? I am not a TCP/IP expert, but it seems to me that there are no legitimate applications for bounced packets.

    Forget about IP, do you understand anything about networking? First please define what it means to be behind a router, and then explain how a router knows what is behind it.

    While in your case you may have a single router connecting you to the Internet through a single provider and one subnet for your whole LAN this is usually not the case in any large organization. A large network will usually have multiple connections to the Internet as well as private WAN connections with other networks and possibly Internet connections of their own. While a very dilligent designer working from the ground up with free reign to filter at any arbitrary point should be able to contain legal traffic to specific areas this is rarely feasable in the real world.

    If you are a large ISP with multiple backbone connections it is even harder to do *any* sort of filtering because there is a wide range of legal traffic that can traverse your network.

    PS If you are a smurf amplifier it is because of a miscofiguration on your side, not your ISP.

  • inbound traffic to a specific range is routed to interface eth0. (x)versely, it follows that outbound traffic should originate from the same range, correct?

    No that isn't always true. First of all, the terms "inbound" and outbound" are completely arbitrary and have no meaning to the router. In your case you have one subnet on the Ethernet side of your router that you own; you refer to this as inside. The router, however has no way of "knowing" this. You certainly can put an access list incoming on your Ethernet interface to only allow traffic from a certain range, and this will prevent devices on your network from sending spoofed packets, but how could you implement this within the router's code. The router doesn't and shouldn't know of all the networks it gets packets from, it only has to know where to send to packets it receives. This becomes more significant the larger the network becomes.

    If your router behaved in the way you are suggesting it would only allow "incoming" packets from the subnet directly connected to the WAN interface, because the router doesn't know about the millions of networks on the other side of your ISP's router. Even if you allowed traffic from the other side of that router there are millions of router on the other side of you ISP. Not all of these routers can exchange dynamic routing protocols, so at some point you MUST use default routes or drop all packets to or from non-connected networks. How is that in any way useful?

  • All your router knows is which interface it needs to send a packet out to reach the destination address. In your case it is either ethernet or DSL. How does it know what addresses are on the LAN? Can you imagine a network with more than one router and multiple subnets? Your home network may be very simple, but that doesn't mean all networks are.

    I am not, nor was I ever a smurf amplifier, but that does not stop attempts to do so from saturating my link.

    I'll give you the benefit of the doubt, but I'm not convinced you'd know if you were.

  • There are basically two schemes for justifying strong government control: without government 'protection' the criminal will get you, or the other, enemy government will get you. Any government, as an organism favoring its own survival, will be sure to manufacture one or the other, or some mix of the two. As subjects^H^H^H^H^H^H^H^Hcitizens we might consider which we prefer as the excuse: an 'evil empire' to face down or 'criminal terrorists' to suppress. The costs of the 'evil empire' model have been reasonably small in recent decades: entertainments like Viet Nam (for the French and US) or Afghanistan (for the Soviets), and a certain conformist jingoism. The costs of the 'criminal terrorists' model perhaps haven't been so fully explored lately (except when used by the Nazis against Jews). But keep in mind, if we distract our rulers from their current posturing against 'criminal terrorists' they will be sure to tilt back towards 'evil empire' - which probably means preparing for large-scale war against, say, China or Iran plus the Muslim former Soviet republics - and there are fewer truly out-of-the-way places to fight the Nam-style side battles that used to ease the friction of such posturing, more likelihood that the battles will involve Taiwan or oil fields, and lead to much more destruction than a game requiring someone to play the role of criminal terrorist is likely to lead to -- which is perhaps why our rulers favor the 'counter-terrorist' posture. Even when the obvious strategic aim of the missle shield, for instance, is to prepare for all-out war with China, still the public game is about 'rogue states' more on the scale of isolated terrorists than empires that can seriously challenge us.

    We're going to lose more freedom by either game, but the style of loss, the trade-offs differ, and we might consider which we prefer. Just keep in mind that if we ease the official paranoia about hacker terrorists, our government will tilt back towards the model of assured mutual destruction as its legitimating excuse.
  • I know im going to get modded odwn for this but i am getting tired of the editor slnt here. DDoS is a real problem, soemone might have a workable solution but it looks at packets so it must be bad. a few points here--
    1. Monitoring the flow of traffic can be done without getting too much into the *content* of the packets. In fact looking at the contents will slow the system by a huge degree.
    2. Unless every byte is encrypted this can already be done now. If you are sending data in the clear you are exposed get used to it, if you dont like it encrypt it.
      1. I can know that privacy is a real issue but lets not muddy the water by screaming like chicken little every time someone reinvents a port sniffer or traffic shaper. Save your breath for when real issues come up like new laws.
  • ...be the first to make angry comparisons to "Big Brother" and an Orwellian society when everyone's movements online are being tracked. Innocent Internet users and script kiddies alike will no doubt fight back against constant monitoring, but I have very little sympathy for any script kiddie attacking those who're only trying to make the internet more secure after they've already attacked so many others using less of their own skill than the documented skill of others.

    It's comparable to Napster in a way. So many individuals think they're so clever to find means of dodging around the system without realizing that the harder they make it for Napster to filter their files, the more likely it'll be shut down when the final verdict is read.

    Anyway, it's not so uncommon a situation. Aren't those who abuse their freedom most often those who force the restriction thereof, not only for them, but for everyone else? While part of me hopes that this system of DDoS tracking doesn't take off for the obvious privacy reasons, another part of me hopes that it will, so that script kiddies can be taught that society as a whole doesn't stand for such abuse of freedom.
  • I don't like the idea of setting up anything that binds to a particular port, or location for that matter. Its advertising and inviting. I still haven't seen a DDoS monitoring service that I'm convinced is bullet proof, and I still think that we have some work to do. Blocking portscans and such are the wrong way to handle problems and usually end up in DDoS attacks once someone has spoofed their source ip as being that of localhost on your machine or being your machines gateway ip.
    There are many services out there that claim to solve one problem, but in essence they are creating problems elsewhere. DDoS being the elsewhere.
  • ISPs will never use this, or any other filtering software for the simple reason that once they begin filtering, they are no longer a "Common Carrier". Being a common carrier protects them from being sued for having kiddie porn or Windows transmitted over their network. If they start filtering for DDOSs, they will have to filter everything else also.
  • I don't think they probably drink water... Jolt, maybe.
  • In most cases, even when using a multihomed ISP, the first several hops will follow a simple, fixed path. In the config I showed you, inbound traffic to a specific range is routed to interface eth0. (x)versely, it follows that outbound traffic should originate from the same range, correct?

    As I stated, this filtering would happen at a very low level, where routing is rarely complicated, but at this point I see no point in trying to reason with you.

    (end comment) */ }

  • I'm looking at the info on the DSL router here at home (edited):

    cisco675>sh route
    [TARGET] [MASK] [GATEWAY] [M] [TYPE] [IF] [AGE]
    0.0.0.0 0.0.0.0 0.0.0.0 1 SA WAN0-0 0
    12.34.56.0 255.255.255.0 0.0.0.0 1 LA ETH0 0
    1.2.3.0 255.255.255.0 0.0.0.0 1 A WAN0-0 0
    1.2.3.4 255.255.255.255 0.0.0.0 1 AH WAN0-0 0

    I think it's pretty clear that the router understands which IP's are on the LAN, and which ones aren't. The type of prevention I am talking about would happen at the first hop, which IME is rarely complicated. As usual, problems are better resolved within the home.

    I am not, nor was I ever a smurf amplifier, but that does not stop attempts to do so from saturating my link.

    (end comment) */ }

  • also encrypt the filter, so in the event that anyone gets past it, you can also get them for violating the DMCA!

    there's my 1/2 cent
  • Why do we consider this any different than other network intrusion-detection systems. Privacy concerns should be minimal, only keeping the "bad guys" out
  • Sure, but notice I mentioned Network, as in software that sits on the wire and scans for suspicious activity. I use such software on my network. I regularly see many attempts on my systems security. What I was trying to say was that people should be no more concerned about privacy in this respect than they would be about a conventional network intrusion scanner.
  • pisses me off. Why can't the whole world just get along. Why do they have to send a DDoS attack!? Is it funny? Seriously, I would like to know.

    How much fun can rendering a service inoperable be? I mean would these kiddies like it if you did it to them? OR would they be all pissy?

    ~AdmrlNxn
    Whistler is to Zeus as Linux is to Hercules
  • no... that could be even worse - a side effect of ritalin is hyperactivity - if you are not already hyperactive. Giving a kid who doesn't need ritalin is just evil - they bounce around about 100x more than usual.

    Valium is good... some of the antipsychotics/antischiztophrenics may work better as they work by slowing brain activity.

  • Thats what they WANT you to think....
  • these kids generally have nothing to lose..

    .kb
  • but on a massive scale. If it can filter and analyze traffic, I am POSITIVE it will somehow result in more spam from marketers who are watching us in a central, gods-eye way, or I'll get bitchslapped by The Man, who noticed that 99% of my surfing is in regards to pr0n and mp3z.
  • Sounds like sales BS to me. If I'm not mistaken, the whole idea of the Internet was that it was a system that couldn't be broken when a single link went down. It doesn't matter how fast he can "shut a customer who was being attacked off from one backbone and re-route all traffic to and through another faster than a DDoS attacker could shift gears." If you can get out to the Internet, then packets can get routed back to you. Either that, or you filtering them somewhere upstream. Unless he's changing your IP address, which can cause no end of headaches.

    Actually, it's kinda funny that he should use the phrase "faster than a DDoS attacker chan shift gears." The whole point about it being a DDoS is that it's not just one guy, it's a guy with an army of machines working at computer and network speed to flood your connection. As long as the target address doesn't change, it keeps firing packets that way.

    Don't ever trust a salesperson for technical info...
  • It is very true, and interesting no doubt, that the so-called script kiddies who think of themselves as thumbing their noses at authority are in fact most likely going to cause the unnecessary subversion of privacy in the long run. Cliff Stoll makes a similar point in the Cuckoo's Egg, saying that he wishes there were no need for a computer security market, and that there wouldn't be if people were more considerate in their use and acquisition of information. But at the same time, that's like asking all of the thieves and criminals in the world to stop what they are doing at once. There are always going to be a small percentage of mischievous people out there, and if there were no barriers in place to keep them out of the cookie jar, god knows the real damage they could do. Ultimately, the script kiddies are making it harder for the REAL bad ones, the ones who could start a war, for example. All we can hope is that the damage to our freedom and privacy is minimized in the process of preventing the inevitable criminal activity online.
  • between a DDOS and a site being slashdotted? Might this device someday prevent us geeks from getting our daily dose of news for nerds? Thousands or hundreds of thousands of seperate hosts hitting the same IP address at the same time... DDOS, or slashdot effect??
  • 65,635 orders can also be placed at any time to overflow an INT in a poorly designed database.... on a 16 bit machine... on a 32 bit server (IE every server on the internet) you are going to have to get together 4G of your closest friends...

  • I was interprating the parent post as "Why don't ISPs filter packets as they are leaving the ISP's network." If the majority of ISPs drop outgoing packets that don't have valid source/destination headers (if you are an ISP, and you all your equipment/customers are using the 1.2.3.4/24 IP block, why would you let packets that have a source of 7.8.9.3 out? Or would you want to allow packets addressed to non-routable IPs to go out?) then you would have stopped most DDoS attacks that use forged source headers.

    If that didn't make any sense, I mean: If every ISP would configure their routers to block outgoing packets that didn't originate from their IP block, and block all packets that are going to non-routable IPs. Wouldn't this solve most of the problems?

    ps. Ignore all the spelling mistakes, please.
  • So we should thank the script kiddies for contributing to world peace in a very real and meaningful way.??

    So the more ddos atttacks there are the more peaceful it will be. I suppose it works. The internet sure would be quiet.

  • valium?
    try doping the water with ritalin...

  • First, rdl said, "The reason most ISPs don't filter their outgoing traffic is that most cisco routers will end up with 100% cpu utilization to do basic filtering on any decent sized pipe."

    Then, he followed up with, "Juniper, among others, make routers which can do filtering on the interface cards themselves..."

    Does anyone else see the inherent conflict in those two statements? Gee, let's take the low-end Cisco products, which use interface cards about as sophisticated as the NIC in your PC, and compare them with Juniper's top-of-the-line products.

    Cisco products like the 7500 and the 12000 also do filtering (based on ACLs) directly on the line cards. A friend who does testing on the GSR line says that they can indeed maintain linerate on an OC192, and without getting packets out of sequence like the Juniper machines do.

    Let's compare apples and apples here.

  • Following up my own post again.

    The following contains pointers to some of the current work being done to help combat and detect the current forms of DDOS as seen today. In an open and non "patent-pending" manner, too. :)

    http://www.aciri.org/pushback/ [aciri.org]



    ------------------------------------------------ ------------

  • There is a difference between theoretically possible, possible in lab conditions with 0-day gear, and possible on the routing equipment that is deployed in the current real-world network.

    Yes, equipment like Juniper is capable of doing linerate filtering and packet inspection ( headers though, not payload! ). Juniper equipment *is* deployed by major networks, but it's not everywhere. Cisco, which is still a very large portion of the routing equipment deployed, has *ahem* issues at linerate filtering.

    Attempting to deal with DDOS through ACL's is at best a very temporary patch more akin to the little dutch boy trying to stick his fingers in the leaking dyke. There needs to be support for ICMP traceback ( to allow you to quickly determine the source of an attack ) so that perpetrators can be tracked and prosecuted. There needs to be support for 'pushback' which recursively moves the filtering upstream until it reaches the source. Until this is done, ACLs or not, there is no easy way to combat DDOS.

    Pretty scary, ain't it?

    ------------------------------------------------ ------------

  • "...Arbor is working with the Internet Engineering Task Force to make its detection system compatible with existing network routers and firewalls. This would allow Arbor devices to send attack warnings directly to a firewall, which could then block the unwanted data..."

    Fine. One *more* link in the chain.

    Let's hope that Arbor's isn't a weak link:

    Crack that, and do your blocking right from within the detection system.

    What was that?

    "Any code written by man, can be broken by man."

    Let's hope Arbor is armoring their stuff real well...

    t_t_b
    --
    I think not; therefore I ain't®

  • Using tools, Arbor or simply watching flows and rrd graphs while waiting for slashdot to load, is certainly a good way to spot attacks. If you can provide better data to network admins than they get already get using general-purpose network monitoring tools, it's certainly going to be useful.

    This is all assuming your net follows basic best practice and thus the most effective DoS/DDoS is to do resource-consumption, not to send 50 multicast packets to your cisco's management interface or something like that...

    I think the problem should be split into parts:

    1) Pre-emptive moves to eliminate DoS/DDoS in general -- kill fucking smurf amplifiers dead, eliminate spoofing especially on smaller, less-actively-monitored, static networks, etc.

    2) Increased safety margin for applications -- use technologies such as distributed dynamic cache, load-balanced servers, oversized links and oversized servers, etc., to deal with both malicious attacks and normal surge load. This
    gives you a LOT more leisure time in dealing with big attacks, and makes smaller attacks less of a problem.

    3) Intelligence, either from specialized anti-DDoS tools like arbor, or from general network administration tools, a 24x7 NOC, mrtg/rrd, talking with other AS admins on irc, etc.

    4) Simple response tools -- having OOB management on routers (you wouldn't believe how many people don't, and if you're being DoS'd, you can't connect over the net under attack), a knowledge of what pieces depend on what, etc. Being able to down interfaces, apply filters, etc. quickly is important. At the present time, I don't think anyone could develop a tool which does this 100% automated, but certainly tools can amplify the power of a small number of good network administrators.

    5) Research -- learn from the attacks, improve. I think this is where tools could be quite valuable, by gathering statistics on attacks and presenting them to people when under attack.

    If I were trying to build a network resistant to DDoS/DoS, my number one priority would be pushing the safety margin up as high as possible, oversizing links and building border routers capable of taking and filtering most attacks when directed to do so; only after that is in place is it worth worrying about better ways to detect, analyze, etc. attacks. It's pretty obvious that you're being hit and what's going on once it actually happens :)
  • The real fix, of course, is to find operating systems vendors liable for selling systems which allow attackers to use OS vulnerabilities to take over a system and use it to attack a third party. Note that disclamers in EULAs don't matter in such cases, because the victim isn't the customer of the OS maker, but an unrelated third party. Someone needs to sue Microsoft for gross negligence over this, for selling mass-market operating systems with vulnerabilities years after the problem was identified.

    What would your "real fix" do to Linux? It would legislate the old argument of "who can we sue if something goes wrong?" and make it illegal to create or distribute an operating system without someone to blame.

    Another illustration of overzealous anti Microsoft fervor setting up a backlash on us. Don't take RIAA's stance - the UCITA is beginning to backfire on them. Just be calm, cool and reasonable. We have absolutely nothing to worry about, and here's why.

    We live in a free-market economy - all of Microsofts billions (trillions?) can't compete with a bunch of volunteers giving stuff away. It will stabilize into the hardcore hackers doing what they enjoy (kernel / systems level stuff) and Microsoft and Apple will eventually wind up selling to their real market: non-computer experts. (Well, actually, Apple already does).

    So Linux *is* a good thing, and may dominate the world. Microsoft's rise to the top drove the price of hardware down and amount of expertise (learning curve) wound up being less (shorter).

    Now Linux will drive the price of software down and force Microsoft to make computers truly easy to use. Computer experts won't need anything from Microsoft or Apple, but my grandma always will.

    Pre-Linux Microsoft User Manual: To accomplish your task, insert the cd, click ok, type your name and organization, click next five times, Slect this, select that, click next, enter your CD Key, click next ten more times, then click ok to reboot.

    Post-Linux Microsoft User Manual: Get your computer's attention by saying it's name. Say "Download and Install winzip voice plus".
  • Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online.

    This is a common theme throughout society. It is the gun enthusiasts who are the reason that the authorities use for demanding more gun control. It is the anti-abortion protestors that the authorities used to push through the FACE act. It is the people who demand campaign finance reform the loudest who break the existing laws most flagrantly. It was the ACLU, for defending people on first amendment grounds, that caused someone in congress to propose an anti "flag burning amendment" to the US constitution.

    Do something in public that is unpopular with the right people, regardless of legality, and you will soon find that activity restricted.

    LK
  • The government is not the one leading the charge on this sort of thing. It's those of us in the trenches trying to run the network that are trying to figure out how to deal with the problem. It's not the big hits against Yahoo which drive this sort of thing. It's the almost daily low-level DoS attacks which are the problem. Speaking as somebody who helps engineer and run a multi-OC3 gigapop for several universities, I can tell you that this sort of thing is a real pain.

    A week doesn't go by that some well connected 3l33t 5h1th3ad doesn't decide to send 100Mbps of crap at some residence hall computer and soak up all of our bandwidth. Why? Who knows. Maybe they're trying to take over some lame IRC channel. Maybe they are tired of getting fragged in Q3. I don't know, and I don't care. The reality is that we have to deal with the problem. When it happens, in some cases for us it takes literally 10's of thousands of students off of the network.

    As much as I think the Internet should be open to all, without strict filters checking every packet you source, that reality is going to quickly go away because of this type of behavior. Real crackers and criminals have little to no impact on the operation of the network. However, the DoS kiddies do have a real impact on our ability to keep the network running smoothly and reliably. The problem has to be dealt with, and the solutions are not pretty. Imagine strict filters which control how much traffic you can send and how many outbound connections you can initiate. Imagine those filters applied to every dorm connection, @home connection, and DSL connection. Imagine having to pay big bucks if you want a "server" class connection. These restrictions and more are coming to a broadband connection near you unless the 'l33t shitheads get the message and start behaving like adults. It won't take a law to make it happen. The network engineers aren't going to have any choice if the problem keeps growing.
  • Or at least somebody will be the excuse. Reason? I frequently strongly doubt that. Excuse.

    Remember, the primary purpose of any living thing is to survive, and governments / corporations / buracracies(sp?) are living things. At least in that sense.


    Caution: Now approaching the (technological) singularity.
  • Okay, so this is probably a pretty useful idea?

    But isn't the point of a DDoS to flood the ISP connection? So isn't this just a quick way to acknowledge that you are screwed - because even though you are dropping packets like crazy, they keep coming in and you waste bandwith just to drop them. I am curious if this isn't going to have a fairly minimal impact, because the problem isn't the content of the packets, but the fact that they are coming.

    Won't this just move the chokepoint higher up the ladder, making the bottleneck be the DDoS detectors ability to handle/drop those packets instead of your servers? So now your servers are up, but no one can get to them anyway.

    Maybe someone who understands this better can explain.
  • I see one major flaw with what Arbor Networks is suggesting.

    As they sample, the probes use complex statistical algorithms to take a ''fingerprint'' of normal traffic patterns on the network. That way, they can immediately detect unusual patterns, the kind generated by attacking zombies. ''In real time,'' said Arbor chief scientist Farnam Jahanian, ''we come up with a fingerprint for that anomaly.''
    So what do these "statistical algorithms" say about large articles on major websites (say the frontpage article of the New York Times, a press release by IBM, etc.), or sites where traffic builds quickly due to word of mouth (sort of like a slashdotting)?

    My point is simple: What if script kiddies just take their time? Don't start with a DDoS attack, slowly start pinging servers, or whatever it is that they do, and build up, over time, to a heavy DDoS attack. How would these "statistical algorithms" differentiate this from a bonafide [sic] interest in the site?


    ---
  • I can say from experience that a line-rate OC-12 ACL list is quite feasable, and in fact OC-48 (2.4Gbps) is quite feasable with today's technology.

    Some of the new Network Processors are absolutely astounding in terms of what they can accomplish. Take for example the Agere [agere.com] network processor. It has no problems doing ACL at OC-48. Or the Sibyte [sibyte.com] network processor, with dual 1GHz MIPS cores running Linux, which should be more than fast enough to handle OC-12.
  • We can blame the longetivity of data for the majority of script kiddies, I think. Documents such as the Hacker's Manifesto, which have been around for years and years, get read by fresh-out-of-detention 14 year olds, and they think, "Wow, I can be a part of something!" while they don't realize that what they want to be apart of has been dead for at least 5 years - at least as stated by the Manifesto and similar documents. They then append themselves to dead ideals, ideals which had some effect in the day, but are worthless now, due to such things as legislation.

    -------
    CAIMLAS

  • I like the Arbor Networks approach. These are smart people and their approaches to the problem are largely statistical. They can legitimately claim to have a solution with very minimal privacy implications.

    The overwhelming majority of network intrusion detection solutions cannot make these claims. They are misuse-detectors --- IDS parlance for systems that do deep analysis of traffic looking for known signatures of misuse. The techniques for detecting these signatures are in fact more intrusive than those for detecting keywords in mail messages. Some IDS tools go so far as to ADVERTISE their utility for monitoring employees and copying email.

    The fact that misuse-detectors don't even work (against savvy attackers) doesn't improve the situation (Tim Newsham and I wrote a well-known paper on this, you can find it at Vern Paxson's mirror [aciri.org]). The only interesting work in intrusion detection and response is being done at the backbone level, in macro-analysis, using statistical profiling and anomaly detection.

    Arbor Networks appears to be leading the pack on the analysis end. There are other interesting companies in this space too --- Asta Networks (tech lead by the inimitable Stefan Savage) appears to be doing direct traceback, and Mazu Networks (the Click Router group from PDOS@MIT, more insanely smart people) appear to be doing edge-based detection and filtering.

    Traceback, backbone traffic analysis, and edge-based IP-level traffic/misuse detection are going to be the deployed solution for this problem. Get used to it. Network admins have had many of these capabilities for ages --- these startups are just focussing and optimizing them. You should be more afraid of ISPs deploying RealSecure or NetRanger (privacy-violating point-product misuse systems) than about them guarding their networks with traffic analysis information they could get from their routers already.

    PS: Note to Linux geeks --- many of these companies, particularly Mazu, are doing large-scale in-kernel traffic monitoring. They are publishing their code (and some of it, like the Click router, is amazing) and making a HUGE PR contribution to the usefulness of the operating system.

  • It seems to me (and correct me if I am wrong) that part of the problem is that anyone can spoof the source location in an IPV4 packet.

    Why can't every computer connected to the internet, throttle packets? That way there is no single "choke point". I mean every minute, or 5 minutes do a "throttle check", if too many packets are trying to reach a destination point, then they just get auto-dropped. (It would be nice to check if the "source" is sending too many packets, but source headers can be forged.)

    Doesn't IPV6 require a valid source location?

    Is there any way to design a protocol to prevent DoS attacks?

    Sorry for the newbie questions, but I'm a graphics guy, not a networking one ;-)

  • Re:What? (Score:2)

    by 0xA ( 71424 )
    I really don't see cracking being a big thing for criminals to generate revenue.

    Why do you think the "Russian mafia crackers" tried to extort money from the companies the stole the information from? Why didn't they just go buy a bunch of stuff and sell it? That would be really hard to do, you can't go into a retail store and buy something with a card number. You'd have to order a bunch of stuff from web sites or over the phone and have it shipped somewhere. How the hell are you going to make a bunch of money from that? Seems to me like it would be a major PITA, not to mention dangerous.

    Your other example of the Taleban trashing a home loans database is almost laughable. First, just what the hell is Fannie Mae doing with a database containing information like this that is accessable from an outside connection. This should never happen. If this were ever to actually happen common sense woudl dictate that the database server should be wiped, restored from backup and secured (as in not connecting it to the internet in any way). Another PITA but hardly a disaster.

    The evil master hacker stealing millions of dollars in just a few minutes is a myth. Try watching less of The lone Gunmen.
  • My point was that there are already excuses, and those excuses are already in use. Script kiddies are nothing next to the thought of Osama Bin Ladin hacking.
  • "Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online."

    Script-kiddies? The last time I looked the government was blaming software pirates, drug-dealers, and terrorists. Script kiddies will never be a huge reason for monitoring, because script kiddes can never do anything beyond hack servers sitting on the internet with their crappy scripts.

    A DDoS by a team of script kiddies means nothing in the long run. Who cares if Yahoo! or ebay go down because a few idiots manage to get in? The real danger is the big hackers. The Russian mafia crackers who hold credit card databases hostage is just a beginning. Imagine if the Taleban found a group of good crackers in Afghanistan and sent them after a Fannie Mae's mortgage database, screwing up millions of American home loans?

    Script kiddies DDoSing the last of the dotcoms is no matter. There are things people could do online to do far more damage. The probable recipients of said damages know this, and they are preparing.
  • If you really want a quick response to a DDoS, then what you've got to do is collect that real-time network traffic data, display it like a video game, then wire in the router controls to some joysticks & buttons & hire a large group of teenage video game addicts to "get a high score" (score being determined by how well "good" traffic gets through and "bad" traffic is suppressed). Pay them according to their score.

    I can guarantee that you will never be able to put together an automated solution with such adaptability, reaction time & pattern recognition abilities. And society will have finally figured out how those video gamers can contribute something useful.
  • I had a thought (don't jump to conclusions, it was an incorrect thought as I will shortly explain). What if you had NICs themselves do outgoing packet filtering? Of course it would be configurable using software or whatever, which is no good because a script kiddie hacks in, gets root, and sets your card to allow outgoing spoofed IPs. So obviously that wouldn't work.

    Having the "big" routers do this filtering would cause a huge performance hit; however this might be acceptable in the long run. Everyone would bitch and moan to start, but then we'd get used to it (and Cisco and others would find ways to improve throughput without sacrificing IP filtering.

    What about having local routers do it? If you're (say) AOL, you certainly have thousands of small clusters routing to your central big-ass router cluster. Why not have the routers on the ends all do the work? Have we learned nothing from distributed computing, especially something so tailored to it?

    I know there are economic concerns (we have to get ISPs to modify thousands of routers), but... come on, there's got to be a better solution than adding Big Brother into the mix.

    <RANT>
    Seriously, who are the deranged fucks who get presented with ideas like, "Hey, let's add Big Brother-like sniffing to all sorts of nodes on the Internet, bringing the potential for huge abuses!" and go, "Hot damn! THAT will make the world a better place for everyone!"??!?
    </RANT>
  • Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online. 31337 d00d!

    This is such a common attitude: that bad people like script kiddies are fucking us over. "If only they'd stop!" Um, telling them to stop isn't going to make a difference. Let's look at the problem from another approach: secure in the knowledge that script kiddies exist in large numbers wherever teenagers and miscreants have computers, let's try and protect ourselves from them. If this product does something to ameliorate it without invading our privacy, awesome! If it does something to ameliorate the problem while invading our privacy, well, you should be using encryption anyway, because the only thing that's more certain than miscreants causing trouble is g-men and other authorities cracking down on everyone's rights to get their way.

    You can't pretend either problem will go away if we just understood it a little better, if we only made the poor script kiddies feel more loved or held our protest signs a little higher for the g-men to see. Accept these things as constants, and work with the solutions that are offered.
    --

  • Quite simple. A single ISP has a fraction of the bandwidth that a backbone provider would have. Which means, even though they stop the flood at the entry to their LAN, their connection to the rest of the world is still shot to shit. Having the big backbone providers stop the flood is much more effective and involves much less down time. (besides the fact that authorities are more likely to pay attention to complaints from UUnet than from joeschmoe.com the ISP)
  • I spoke to a sales weasel from Internap [internap.com] and they claim to be able to get around/stop/put an end to/whatever DDoS attacks without that sort of invasion of privacy.

    What he said they do is, rather than lease their lines from one backbone provider like Sprint or Genuity/BBN, they lease from 12 major providers. His claim was to be able to shut a customer who was being attacked off from one backbone and re-route all traffic to and through another faster than a DDoS attacker could shift gears.

    Anyone have any experience with this company? Was this cat just blowing his own horn?

  • Arbor's equipment has been deployed by Merit Network, a major Internet provider in Michigan. It was an easy sell - Arbor's underlying technology was developed at the University of Michigan at Ann Arbor.

    Who cares where it was developed?! People generally shop for a new car, for example, because it's reliable, has a high resale value, and fits their budget -- NOT because it's a certain colour and their uncle is/was on the design team...

    This technology may or may not be the best thing since sliced bread, but it seems Merit needs some priority straightening.

    --
  • ISPs can be used to filter out repetative messages from various networks directed at certain addresses.
    What if ISPs could also limit the amount of traffic directed at their specific customers depending on the customer wishes and proportional to the customer bandwidth?
    Here is a scheme: ISP A detects heavy repetative traffic comming from ISP B, ISP C and ISP D. ISP A asks ISPs B, C and D to eliminate or lower amounts of traffic from certain addresses to certain addresses. ISP B received the traffic from ISP E and F, and so it propagates the request to these ISPs (ISPs C and D do the same.) The requests to limit amounts of traffic go down the tree to the ISP nodes that provide the attackers with bandwidth and filter and limit the requests right at the attacks' Internet entry points.
  • The simplest temporary solution could serve us well until a better one arrives. The ISP should allow your business to limit amount of traffic generated per unit of time. If there is more traffic than your servers can handle, the traffic should be eliminated and messages should be propagated to the ISP of the traffic point of origine to not allow more than certain bandwidth to a certain address.
  • unlink '/COMMAND.COM',print "you suck!\n" if (-f '/COMMAND.COM');

    --
  • The internet is an untrusted network. Once a packet goes across a wire that is not under your direct physical control, you have to assume that any interested attacker knows it's contents. This is why we have SSL, SSH, and other end-to-end encryption strategies. Encryption won't mask a DDoS attack - all the 'magic' is in the headers, which can't be encrypted.

  • It's fairly easy to point the finger at an anonymous group whose motives are rather simple. It's even easier to buy into the media hype about teen-age hackers.

    What you need to do, however, is employ a fun little technique called "Follow the Money." In the case of DDoS attacks, what you'd do is figure out who has the most to gain from this fear.

    Sure there are a few of these attacks that can be attributed to the I-wonder-if-I-can-do-this factor, but now it's in the hands of the people who can really use it (and not get caught.)

    Is it irony that DDoS attacks are increasing the government's power over the Internet, or do both cause and effect share the same owner?

    (How's that for /.-induced paranoia?) :)

  • IIRC if you look at the Zapatista incident they had many of their supporters (lots of em in Europe) go and hit a page at the same time. The reason this would not work if you wanted to trick someone into doing is that everyone would have to run that worm within a few minutes of each other and I don't see that being very probable.
  • I think the concept is a good one and the software has a market with network access providers. However, for these to work the systems need to communicate with each other, at rival companies access points by gleaning data from rival companies routers. How likely is this to happen? It isn't very valuable if only 5% of the NAP or transit authorities implement it either.

    What about slight modifications to DDoS attacks, whether it be in the signature, data encapsulation or size? How will the detection system know, and how could it detect it versus a large FTP transfer? What if I sent my DDoS to port 21 and made it look like simple FTP requests? Would it then throw up a quick packet filter for all FTP packets? Or it would it automagically recognize all 39 DDoS slaves?

    I gotta wonder about some of this stuff .. whether they are marketing a bandaid for a gunshot wound.

    -Pat

  • The real fix, of course, is to find operating systems vendors liable for selling systems which allow attackers to use OS vulnerabilities to take over a system and use it to attack a third party. Note that disclamers in EULAs don't matter in such cases, because the victim isn't the customer of the OS maker, but an unrelated third party. Someone needs to sue Microsoft for gross negligence over this, for selling mass-market operating systems with vulnerabilities years after the problem was identified.

    Now if this software was a Microsoft solution, how many people would spook out at it totally? Or imagine the magnitude of behind the scenes conspiracy?

    Be careful what you ask for. You might get it.

  • messages should be propagated to the ISP of the traffic point of origine to not allow more than certain bandwidth to a certain address.

    And this would help with the DoS packets with a faked source IP how? I mean, if a skiddy DoS's Guns-R-Us.com with a source address faked as AOL, couldn't this be just as effective to deny service to AOL customers wanting to visit Guns-R-Us as the original attack itself?

    And gee, if the DoSer knows how to tell the source to limit traffic, why bother actually generating traceable traffic in the first place - not to mention that the crude attacks are all _D_DoS - The packets don't have a single source. Now if all ISPs made sure that spoofed packets couldn't leave or transit their networks, that would probably have more effect.

    Liquor
  • As someone who had been getting repeatedly smurfed before finally getting the ISP to understand, I see a rather simple, yet effective way to manage this: don't allow forged packets!

    A router already understands what IP addresses are behind it. *By default*, why should it route traffic from IP's that don't exist on the LAN to the WAN? I am not a TCP/IP expert, but it seems to me that there are no legitimate applications for bounced packets.

    (end comment) */ }

  • Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online.

    Nothing new there. I have locks on my doors, a bicycle in my living room and removable-face car stereo because of selfish, malicious idiots.

    How many of the headaches that the rest of us have to live with come as a result of the antics of a bunch of jerks and lowlives? That's why I don't understand the inclination to glamorize or defend crackers as "black/white/whatever-hats" or "hacktivists" or to insist that their activities are harmless, if not beneficial.

    Unsettling MOTD at my ISP.

  • Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online. 31337 d00d!

    Not so interesting, as typical. Because someone may threaten someone with email, email is bugged. Because someone may threaten to blow up Hope College, FBI has Carnivore. It's always been the troublemakers, whether with a socio-political cause or for selfish entertainment that freedoms are leeched.

    One needs look no further than the /. lameness filter to see how others have to tow the line because of trolls.

    --

  • The real fix, of course, is to find operating systems vendors liable for selling systems which allow attackers to use OS vulnerabilities to take over a system and use it to attack a third party.

    And where would that leave linux, *bsd, etc? Should Alan or Linus be sued for tcp bugs?

  • "The reason this would not work if you wanted to trick someone into doing is that everyone would have to run that worm within a few minutes of each other..."

    Not necessarily. Let's say you sent a link to 100,000 of your closest friends. 1% check the link each minute for the next 100 minutes. That's 1000 hits/minute for 1 hour and 40 minutes duration. Not much for Yahoo, but a TON for dinky little me on a DSL line.

    Also consider that the S in DoS is "service"--it doesn't have to eat up your bandwidth, it could eat something else. For instance, 10,000 fake orders would eat up service personnel time and don't have to be submitted simultaneously. 65,635 orders can also be placed at any time to overflow an INT in a poorly designed database.
    --
  • Actually, a lot of the simple DoS would be eliminated if people would just filter all their outgoing connections, preventing spoofed IP. If you know what AS is the origination of a certain flood, you can easily modify routing.

    If someone can spoof packets to make them appear they don't come from a single AS, you have a much harder time.

    The reason most ISPs don't filter their outgoing traffic is that most cisco routers will end up with 100% cpu utilization to do basic filtering on any decent sized pipe. No one is going to drop in a USD 100k GSR/12000 just to filter linerate on a 100baseTX.

    Juniper, among others, make routers which can do filtering on the interface cards themselves, so doing linerate filtering on 32 gig-e interfaces is actually possible. However, I think like 95% of the core routers on the net are still cisco, even though Juniper's sales figures are rapidly increasing, so it will be some time before this is fixed.

  • Re:Limit, but not eliminate, DDoS (Score:3)

    by Animats ( 122034 ) on Monday March 12, 2001 @10:42AM (#369095) Homepage
    You can limit DDoS attempts, and probably eliminate all the threats out there today, but a truly crafty attacker would make a DDoS which simply appears as extra traffic.

    I've made this point before. There are two parts to the problem. First, fix all the holes that allow substantial server resource consumption from packets with forged source addresses. Second, improve host and network behavior under overload.

    The real fix, of course, is to find operating systems vendors liable for selling systems which allow attackers to use OS vulnerabilities to take over a system and use it to attack a third party. Note that disclamers in EULAs don't matter in such cases, because the victim isn't the customer of the OS maker, but an unrelated third party. Someone needs to sue Microsoft for gross negligence over this, for selling mass-market operating systems with vulnerabilities years after the problem was identified.

  • 31337 d00d (Score:3)

    by roman_mir ( 125474 ) on Monday March 12, 2001 @09:35AM (#369096) Homepage Journal
    I suppose human behaving in a criminal fassion are responsible for having the police forces out there, why, it is not surprising that the internet will create some sort of resistance to the script kiddies. Just like your body creates antibodies to kill specific virii, the corporations that rely on the Internet to conduct business will be indirect reason for some sort of protection appearing against unauthorized accesses. Even if in process a stronger identification system is in place and the Internet becomes less anonymous.

  • What makes you think they don't? (Score:3)

    by Archangel Michael ( 180766 ) on Monday March 12, 2001 @11:13AM (#369097) Journal
    Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online.

    Ever hear of Echelon [echelonwatch.org]?

  • Not very useful (Score:4)

    by CoreDump ( 1715 ) on Monday March 12, 2001 @10:55AM (#369098) Homepage Journal
    Unfortunately, inserting probes into the "exchange points where major networks interconnect" isn't going to accomplish much.

    First of all, all of the major network do not exchange traffic directly over the exchange points, but rather through dedicated peering circuits.

    Second of all:

    By regularly sampling network traffic statistics, Arbor's technology establishes a dynamic profile of typical traffic patterns in different zones of the network. Sampling against this dynamic baseline allows the solution to flag anomalies.

    How do they differentiate a DDOS attack or a site being slashdotted ( or does that qualify as a DDOS? :P )

    And finally:

    Finally, Arbor's DoS solution uses attack fingerprints to suggest access control list (ACL) entries and/or committed access rate (CAR) parameters, which a network engineer can implement to filter out the attack.

    So all it does is spit out a sample configuration that has to be actively applied to the routers in question? Even if you place an ACL on the receiving side ( pretending that linerate OC-12 car/acl's is truly feasible ) you have done nothing to mitigate any of the affects on the peers network and the potentially full peering link between the two networks.

    This assumes that the DDOS is going to be hitting the servers as well. In fact, several recent DDOS attacks have been not at servers ( since it is no longer usually a single server but many ) but at the infrastructure leading up to those servers.

    I wish Arbor well in peddling their proprietary "patent-pending" technology, but don't expect to see this running on any major networks anytime soon.

    ------------------------------------------------ ------------

  • Gotta love the script kiddies. (Score:4)

    by Restil ( 31903 ) on Monday March 12, 2001 @11:27AM (#369099) Homepage
    I mean, you have to admire their courage. If this was real life and not on the internet, a good metaphor for the script kiddy would be the weakest, scrawniest little kid who walks into a dark alley, finds the strongest, nastiest, most well armed individual that he does not know, walking up to him, screaming whatever insult he can come up with and taking a piss on his leg.

    Of course, the big difference is, in real life, this kid wouldn't EVER try that again, nor would any other kids who ever heard about it.

    It only takes one.

    -Restil

  • Limit, but not eliminate, DDoS (Score:5)

    by rdl ( 4744 ) <`ryan' `at' `venona.com'> on Monday March 12, 2001 @09:38AM (#369100) Homepage
    I've looked into the DDoS problem quite a bit, for obvious reasons.

    You can limit DDoS attempts, and probably eliminate all the threats out there today, but a truly crafty attacker would make a DDoS which simply appears as extra traffic. Slashdot people have a lot of experience with this -- what's the difference between a slashdotting and a worm with "download this page" as the payload, widely distributed?

    Another problem with a single, centralized company providing DDoS monitoring, notification, and realtime blackholing is that of course that company becomes a central point of attack. If you can simulate a DDoS attempt from company A to company B, you don't need to actually accomplish the DDoS, which may also shield you from legal liability and violation of AUPs.

    "In the age old battle of arms vs. armor, arms always triumph". I'm not saying arbor networks is not a valuable service, but I think it will be very difficult to provide any sort of lasting edge vs. a determined packet kiddie. ud.com among
    others are already using distributed load-testing, so it's easy to see how powerful a worm/virus with DDoS payload would be. I believe the Zapatista in Mexico did this as a form of protest/attack, and it was successful, in 1998 or 1999.

Slashdot Top Deals

It is easier to write an incorrect program than understand a correct one.

Close