- Joined
- Jun 30, 1998
- Location
- Bierland
I think it would be useful to post any informatio nthat some of might have concerning DDoS attacks. Since this is something that is plaguing not only this industry, but the Internet as a whole, we all should be doing whatever we can to fight this:
One thing is to preach to everyone we know who has a computer, (your mom, co-workers, teenagers, everyone) to have a firewall installed on their computer. If a person is on a continuous Internet connection, a trojan can snag hold of the computer and turn it into a zombie. Zombie computers are the ones that are programmed to take a site down.
I've been in touch with me server guys asking if there are any precautions that one can take. Here is their answer:
To be open and honest, if the attackers are very skilled at DDoS attacks, there is not much anyone can do about it... The Internet by nature was designed to be anonymous, so there is no way to know that a source IP is from a real person or is spoofed/forged...
With that said, there are a multitude of different types of DDoS attacks and the countermeasure to the DDoS attack is pretty much different each time...
In some cases, the attack is coming from millions of random forged source IP addresses that go nowhere... In the case of TCP connections, syncookies will handle that attack... In non TCP packets, then rate limiting would be applied...
If the packets are TCP and coming from zombie attack systems that have valid source addresses, then it gets more a bit more complicated... However it also gets easier because the set of IP addresses we have to wheedle down is vastly reduced... From there you watch the essence of the packet flows heading to your site and start masking out the bad traffic through process of elimination...
The above is two techniques of many... DDoS attacks parallel in many respects to combating spam... The problem is somewhat the same, how to tell what is valid and what is not, even if the problems is on two separate planes of existence...
In conclusion, there are methods to fend off DDoS attacks, however if the attacker is really good at it - and determined - there is nothing that anyone can do to stop it... That is simply the reality of how the internet was designed and works... There are many different countermeasures against DDoS attacks, but there is rarely ever a one sized fits all... Packet flows need to be studied and intelligent heuristics applied to try and identify what is good or bad...
Even high dollar professional gear, there are only a small handful of companies in this DDoS problem space, and even they will admit there is no 'magic bullet'...
Wish I could just say 'DDoS Attacks, yeah - no problem - We've got you covered'... However I can't since that is not the reality of DDoS attacks... The ultimate solution to DDoS attacks is for *all* ISPs to perform egress filtering on their networks and not allow spoofed packets to emerge from their networks... Unfortunately, due to some people having access to legions (10,000+) of zombie machines than spoofed IPs no longer become an issue since the packets will be coming from real/live IP addresses... All this stuff just sorta makes ones head spin...
One thing is to preach to everyone we know who has a computer, (your mom, co-workers, teenagers, everyone) to have a firewall installed on their computer. If a person is on a continuous Internet connection, a trojan can snag hold of the computer and turn it into a zombie. Zombie computers are the ones that are programmed to take a site down.
I've been in touch with me server guys asking if there are any precautions that one can take. Here is their answer:
To be open and honest, if the attackers are very skilled at DDoS attacks, there is not much anyone can do about it... The Internet by nature was designed to be anonymous, so there is no way to know that a source IP is from a real person or is spoofed/forged...
With that said, there are a multitude of different types of DDoS attacks and the countermeasure to the DDoS attack is pretty much different each time...
In some cases, the attack is coming from millions of random forged source IP addresses that go nowhere... In the case of TCP connections, syncookies will handle that attack... In non TCP packets, then rate limiting would be applied...
If the packets are TCP and coming from zombie attack systems that have valid source addresses, then it gets more a bit more complicated... However it also gets easier because the set of IP addresses we have to wheedle down is vastly reduced... From there you watch the essence of the packet flows heading to your site and start masking out the bad traffic through process of elimination...
The above is two techniques of many... DDoS attacks parallel in many respects to combating spam... The problem is somewhat the same, how to tell what is valid and what is not, even if the problems is on two separate planes of existence...
In conclusion, there are methods to fend off DDoS attacks, however if the attacker is really good at it - and determined - there is nothing that anyone can do to stop it... That is simply the reality of how the internet was designed and works... There are many different countermeasures against DDoS attacks, but there is rarely ever a one sized fits all... Packet flows need to be studied and intelligent heuristics applied to try and identify what is good or bad...
Even high dollar professional gear, there are only a small handful of companies in this DDoS problem space, and even they will admit there is no 'magic bullet'...
Wish I could just say 'DDoS Attacks, yeah - no problem - We've got you covered'... However I can't since that is not the reality of DDoS attacks... The ultimate solution to DDoS attacks is for *all* ISPs to perform egress filtering on their networks and not allow spoofed packets to emerge from their networks... Unfortunately, due to some people having access to legions (10,000+) of zombie machines than spoofed IPs no longer become an issue since the packets will be coming from real/live IP addresses... All this stuff just sorta makes ones head spin...
