Slashdot Mirror
DDoS Detection Devices
Bistromat writes "The Boston Globe is reporting today that Arbor Networks is marketing a solution to the DDoS attacks that are in vogue with script kiddies today. Their solution is to place filters ("probes") at "peering points" (the points where major ISP's interconnect) to sample and fingerprint traffic so a major DDoS is readily detected and filtered out before the volume becomes unmanageable. " Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online. 31337 d00d!
The following contains pointers to some of the current work being done to help combat and detect the current forms of DDOS as seen today. In an open and non "patent-pending" manner, too. :)
http://www.aciri.org/pushback/
-----------------------------------------------
---
Segmentation Fault ( core dumped )
Yes, equipment like Juniper is capable of doing linerate filtering and packet inspection ( headers though, not payload! ). Juniper equipment *is* deployed by major networks, but it's not everywhere. Cisco, which is still a very large portion of the routing equipment deployed, has *ahem* issues at linerate filtering.
Attempting to deal with DDOS through ACL's is at best a very temporary patch more akin to the little dutch boy trying to stick his fingers in the leaking dyke. There needs to be support for ICMP traceback ( to allow you to quickly determine the source of an attack ) so that perpetrators can be tracked and prosecuted. There needs to be support for 'pushback' which recursively moves the filtering upstream until it reaches the source. Until this is done, ACLs or not, there is no easy way to combat DDOS.
Pretty scary, ain't it?
- ------------
-----------------------------------------------
---
Segmentation Fault ( core dumped )
Fine. One *more* link in the chain.
Let's hope that Arbor's isn't a weak link:
Crack that, and do your blocking right from within the detection system.
What was that?
"Any code written by man, can be broken by man."
Let's hope Arbor is armoring their stuff real well...
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
Using tools, Arbor or simply watching flows and rrd graphs while waiting for slashdot to load, is certainly a good way to spot attacks. If you can provide better data to network admins than they get already get using general-purpose network monitoring tools, it's certainly going to be useful.
:)
This is all assuming your net follows basic best practice and thus the most effective DoS/DDoS is to do resource-consumption, not to send 50 multicast packets to your cisco's management interface or something like that...
I think the problem should be split into parts:
1) Pre-emptive moves to eliminate DoS/DDoS in general -- kill fucking smurf amplifiers dead, eliminate spoofing especially on smaller, less-actively-monitored, static networks, etc.
2) Increased safety margin for applications -- use technologies such as distributed dynamic cache, load-balanced servers, oversized links and oversized servers, etc., to deal with both malicious attacks and normal surge load. This
gives you a LOT more leisure time in dealing with big attacks, and makes smaller attacks less of a problem.
3) Intelligence, either from specialized anti-DDoS tools like arbor, or from general network administration tools, a 24x7 NOC, mrtg/rrd, talking with other AS admins on irc, etc.
4) Simple response tools -- having OOB management on routers (you wouldn't believe how many people don't, and if you're being DoS'd, you can't connect over the net under attack), a knowledge of what pieces depend on what, etc. Being able to down interfaces, apply filters, etc. quickly is important. At the present time, I don't think anyone could develop a tool which does this 100% automated, but certainly tools can amplify the power of a small number of good network administrators.
5) Research -- learn from the attacks, improve. I think this is where tools could be quite valuable, by gathering statistics on attacks and presenting them to people when under attack.
If I were trying to build a network resistant to DDoS/DoS, my number one priority would be pushing the safety margin up as high as possible, oversizing links and building border routers capable of taking and filtering most attacks when directed to do so; only after that is in place is it worth worrying about better ways to detect, analyze, etc. attacks. It's pretty obvious that you're being hit and what's going on once it actually happens
The real fix, of course, is to find operating systems vendors liable for selling systems which allow attackers to use OS vulnerabilities to take over a system and use it to attack a third party. Note that disclamers in EULAs don't matter in such cases, because the victim isn't the customer of the OS maker, but an unrelated third party. Someone needs to sue Microsoft for gross negligence over this, for selling mass-market operating systems with vulnerabilities years after the problem was identified.
What would your "real fix" do to Linux? It would legislate the old argument of "who can we sue if something goes wrong?" and make it illegal to create or distribute an operating system without someone to blame.
Another illustration of overzealous anti Microsoft fervor setting up a backlash on us. Don't take RIAA's stance - the UCITA is beginning to backfire on them. Just be calm, cool and reasonable. We have absolutely nothing to worry about, and here's why.
We live in a free-market economy - all of Microsofts billions (trillions?) can't compete with a bunch of volunteers giving stuff away. It will stabilize into the hardcore hackers doing what they enjoy (kernel / systems level stuff) and Microsoft and Apple will eventually wind up selling to their real market: non-computer experts. (Well, actually, Apple already does).
So Linux *is* a good thing, and may dominate the world. Microsoft's rise to the top drove the price of hardware down and amount of expertise (learning curve) wound up being less (shorter).
Now Linux will drive the price of software down and force Microsoft to make computers truly easy to use. Computer experts won't need anything from Microsoft or Apple, but my grandma always will.
Pre-Linux Microsoft User Manual: To accomplish your task, insert the cd, click ok, type your name and organization, click next five times, Slect this, select that, click next, enter your CD Key, click next ten more times, then click ok to reboot.
Post-Linux Microsoft User Manual: Get your computer's attention by saying it's name. Say "Download and Install winzip voice plus".
Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online.
This is a common theme throughout society. It is the gun enthusiasts who are the reason that the authorities use for demanding more gun control. It is the anti-abortion protestors that the authorities used to push through the FACE act. It is the people who demand campaign finance reform the loudest who break the existing laws most flagrantly. It was the ACLU, for defending people on first amendment grounds, that caused someone in congress to propose an anti "flag burning amendment" to the US constitution.
Do something in public that is unpopular with the right people, regardless of legality, and you will soon find that activity restricted.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
The government is not the one leading the charge on this sort of thing. It's those of us in the trenches trying to run the network that are trying to figure out how to deal with the problem. It's not the big hits against Yahoo which drive this sort of thing. It's the almost daily low-level DoS attacks which are the problem. Speaking as somebody who helps engineer and run a multi-OC3 gigapop for several universities, I can tell you that this sort of thing is a real pain.
A week doesn't go by that some well connected 3l33t 5h1th3ad doesn't decide to send 100Mbps of crap at some residence hall computer and soak up all of our bandwidth. Why? Who knows. Maybe they're trying to take over some lame IRC channel. Maybe they are tired of getting fragged in Q3. I don't know, and I don't care. The reality is that we have to deal with the problem. When it happens, in some cases for us it takes literally 10's of thousands of students off of the network.
As much as I think the Internet should be open to all, without strict filters checking every packet you source, that reality is going to quickly go away because of this type of behavior. Real crackers and criminals have little to no impact on the operation of the network. However, the DoS kiddies do have a real impact on our ability to keep the network running smoothly and reliably. The problem has to be dealt with, and the solutions are not pretty. Imagine strict filters which control how much traffic you can send and how many outbound connections you can initiate. Imagine those filters applied to every dorm connection, @home connection, and DSL connection. Imagine having to pay big bucks if you want a "server" class connection. These restrictions and more are coming to a broadband connection near you unless the 'l33t shitheads get the message and start behaving like adults. It won't take a law to make it happen. The network engineers aren't going to have any choice if the problem keeps growing.
Or at least somebody will be the excuse. Reason? I frequently strongly doubt that. Excuse.
Remember, the primary purpose of any living thing is to survive, and governments / corporations / buracracies(sp?) are living things. At least in that sense.
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
Okay, so this is probably a pretty useful idea?
But isn't the point of a DDoS to flood the ISP connection? So isn't this just a quick way to acknowledge that you are screwed - because even though you are dropping packets like crazy, they keep coming in and you waste bandwith just to drop them. I am curious if this isn't going to have a fairly minimal impact, because the problem isn't the content of the packets, but the fact that they are coming.
Won't this just move the chokepoint higher up the ladder, making the bottleneck be the DDoS detectors ability to handle/drop those packets instead of your servers? So now your servers are up, but no one can get to them anyway.
Maybe someone who understands this better can explain.
So what do these "statistical algorithms" say about large articles on major websites (say the frontpage article of the New York Times, a press release by IBM, etc.), or sites where traffic builds quickly due to word of mouth (sort of like a slashdotting)?
My point is simple: What if script kiddies just take their time? Don't start with a DDoS attack, slowly start pinging servers, or whatever it is that they do, and build up, over time, to a heavy DDoS attack. How would these "statistical algorithms" differentiate this from a bonafide [sic] interest in the site?
---
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
I can say from experience that a line-rate OC-12 ACL list is quite feasable, and in fact OC-48 (2.4Gbps) is quite feasable with today's technology.
Some of the new Network Processors are absolutely astounding in terms of what they can accomplish. Take for example the Agere network processor. It has no problems doing ACL at OC-48. Or the Sibyte network processor, with dual 1GHz MIPS cores running Linux, which should be more than fast enough to handle OC-12.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
-------
CAIMLAS
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
The overwhelming majority of network intrusion detection solutions cannot make these claims. They are misuse-detectors --- IDS parlance for systems that do deep analysis of traffic looking for known signatures of misuse. The techniques for detecting these signatures are in fact more intrusive than those for detecting keywords in mail messages. Some IDS tools go so far as to ADVERTISE their utility for monitoring employees and copying email.
The fact that misuse-detectors don't even work (against savvy attackers) doesn't improve the situation (Tim Newsham and I wrote a well-known paper on this, you can find it at Vern Paxson's mirror). The only interesting work in intrusion detection and response is being done at the backbone level, in macro-analysis, using statistical profiling and anomaly detection.
Arbor Networks appears to be leading the pack on the analysis end. There are other interesting companies in this space too --- Asta Networks (tech lead by the inimitable Stefan Savage) appears to be doing direct traceback, and Mazu Networks (the Click Router group from PDOS@MIT, more insanely smart people) appear to be doing edge-based detection and filtering.
Traceback, backbone traffic analysis, and edge-based IP-level traffic/misuse detection are going to be the deployed solution for this problem. Get used to it. Network admins have had many of these capabilities for ages --- these startups are just focussing and optimizing them. You should be more afraid of ISPs deploying RealSecure or NetRanger (privacy-violating point-product misuse systems) than about them guarding their networks with traffic analysis information they could get from their routers already.
PS: Note to Linux geeks --- many of these companies, particularly Mazu, are doing large-scale in-kernel traffic monitoring. They are publishing their code (and some of it, like the Click router, is amazing) and making a HUGE PR contribution to the usefulness of the operating system.
It seems to me (and correct me if I am wrong) that part of the problem is that anyone can spoof the source location in an IPV4 packet.
;-)
Why can't every computer connected to the internet, throttle packets? That way there is no single "choke point". I mean every minute, or 5 minutes do a "throttle check", if too many packets are trying to reach a destination point, then they just get auto-dropped. (It would be nice to check if the "source" is sending too many packets, but source headers can be forged.)
Doesn't IPV6 require a valid source location?
Is there any way to design a protocol to prevent DoS attacks?
Sorry for the newbie questions, but I'm a graphics guy, not a networking one
I really don't see cracking being a big thing for criminals to generate revenue.
Why do you think the "Russian mafia crackers" tried to extort money from the companies the stole the information from? Why didn't they just go buy a bunch of stuff and sell it? That would be really hard to do, you can't go into a retail store and buy something with a card number. You'd have to order a bunch of stuff from web sites or over the phone and have it shipped somewhere. How the hell are you going to make a bunch of money from that? Seems to me like it would be a major PITA, not to mention dangerous.
Your other example of the Taleban trashing a home loans database is almost laughable. First, just what the hell is Fannie Mae doing with a database containing information like this that is accessable from an outside connection. This should never happen. If this were ever to actually happen common sense woudl dictate that the database server should be wiped, restored from backup and secured (as in not connecting it to the internet in any way). Another PITA but hardly a disaster.
The evil master hacker stealing millions of dollars in just a few minutes is a myth. Try watching less of The lone Gunmen.
My point was that there are already excuses, and those excuses are already in use. Script kiddies are nothing next to the thought of Osama Bin Ladin hacking.
"Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online."
Script-kiddies? The last time I looked the government was blaming software pirates, drug-dealers, and terrorists. Script kiddies will never be a huge reason for monitoring, because script kiddes can never do anything beyond hack servers sitting on the internet with their crappy scripts.
A DDoS by a team of script kiddies means nothing in the long run. Who cares if Yahoo! or ebay go down because a few idiots manage to get in? The real danger is the big hackers. The Russian mafia crackers who hold credit card databases hostage is just a beginning. Imagine if the Taleban found a group of good crackers in Afghanistan and sent them after a Fannie Mae's mortgage database, screwing up millions of American home loans?
Script kiddies DDoSing the last of the dotcoms is no matter. There are things people could do online to do far more damage. The probable recipients of said damages know this, and they are preparing.
If you really want a quick response to a DDoS, then what you've got to do is collect that real-time network traffic data, display it like a video game, then wire in the router controls to some joysticks & buttons & hire a large group of teenage video game addicts to "get a high score" (score being determined by how well "good" traffic gets through and "bad" traffic is suppressed). Pay them according to their score.
I can guarantee that you will never be able to put together an automated solution with such adaptability, reaction time & pattern recognition abilities. And society will have finally figured out how those video gamers can contribute something useful.
I had a thought (don't jump to conclusions, it was an incorrect thought as I will shortly explain). What if you had NICs themselves do outgoing packet filtering? Of course it would be configurable using software or whatever, which is no good because a script kiddie hacks in, gets root, and sets your card to allow outgoing spoofed IPs. So obviously that wouldn't work.
Having the "big" routers do this filtering would cause a huge performance hit; however this might be acceptable in the long run. Everyone would bitch and moan to start, but then we'd get used to it (and Cisco and others would find ways to improve throughput without sacrificing IP filtering.
What about having local routers do it? If you're (say) AOL, you certainly have thousands of small clusters routing to your central big-ass router cluster. Why not have the routers on the ends all do the work? Have we learned nothing from distributed computing, especially something so tailored to it?
I know there are economic concerns (we have to get ISPs to modify thousands of routers), but... come on, there's got to be a better solution than adding Big Brother into the mix.
<RANT>
Seriously, who are the deranged fucks who get presented with ideas like, "Hey, let's add Big Brother-like sniffing to all sorts of nodes on the Internet, bringing the potential for huge abuses!" and go, "Hot damn! THAT will make the world a better place for everyone!"??!?
</RANT>
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
This is such a common attitude: that bad people like script kiddies are fucking us over. "If only they'd stop!" Um, telling them to stop isn't going to make a difference. Let's look at the problem from another approach: secure in the knowledge that script kiddies exist in large numbers wherever teenagers and miscreants have computers, let's try and protect ourselves from them. If this product does something to ameliorate it without invading our privacy, awesome! If it does something to ameliorate the problem while invading our privacy, well, you should be using encryption anyway, because the only thing that's more certain than miscreants causing trouble is g-men and other authorities cracking down on everyone's rights to get their way.
You can't pretend either problem will go away if we just understood it a little better, if we only made the poor script kiddies feel more loved or held our protest signs a little higher for the g-men to see. Accept these things as constants, and work with the solutions that are offered.
--
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Quite simple. A single ISP has a fraction of the bandwidth that a backbone provider would have. Which means, even though they stop the flood at the entry to their LAN, their connection to the rest of the world is still shot to shit. Having the big backbone providers stop the flood is much more effective and involves much less down time. (besides the fact that authorities are more likely to pay attention to complaints from UUnet than from joeschmoe.com the ISP)
I am !amused.
I spoke to a sales weasel from Internap and they claim to be able to get around/stop/put an end to/whatever DDoS attacks without that sort of invasion of privacy.
What he said they do is, rather than lease their lines from one backbone provider like Sprint or Genuity/BBN, they lease from 12 major providers. His claim was to be able to shut a customer who was being attacked off from one backbone and re-route all traffic to and through another faster than a DDoS attacker could shift gears.
Anyone have any experience with this company? Was this cat just blowing his own horn?
Ceci n'est pas une sig.
Arbor's equipment has been deployed by Merit Network, a major Internet provider in Michigan. It was an easy sell - Arbor's underlying technology was developed at the University of Michigan at Ann Arbor.
Who cares where it was developed?! People generally shop for a new car, for example, because it's reliable, has a high resale value, and fits their budget -- NOT because it's a certain colour and their uncle is/was on the design team...
This technology may or may not be the best thing since sliced bread, but it seems Merit needs some priority straightening.
--
ISPs can be used to filter out repetative messages from various networks directed at certain addresses.
What if ISPs could also limit the amount of traffic directed at their specific customers depending on the customer wishes and proportional to the customer bandwidth?
Here is a scheme: ISP A detects heavy repetative traffic comming from ISP B, ISP C and ISP D. ISP A asks ISPs B, C and D to eliminate or lower amounts of traffic from certain addresses to certain addresses. ISP B received the traffic from ISP E and F, and so it propagates the request to these ISPs (ISPs C and D do the same.) The requests to limit amounts of traffic go down the tree to the ISP nodes that provide the attackers with bandwidth and filter and limit the requests right at the attacks' Internet entry points.
You can't handle the truth.
The simplest temporary solution could serve us well until a better one arrives. The ISP should allow your business to limit amount of traffic generated per unit of time. If there is more traffic than your servers can handle, the traffic should be eliminated and messages should be propagated to the ISP of the traffic point of origine to not allow more than certain bandwidth to a certain address.
You can't handle the truth.
unlink '/COMMAND.COM',print "you suck!\n" if (-f '/COMMAND.COM');
--
Je t'aime Stéphanie
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
What you need to do, however, is employ a fun little technique called "Follow the Money." In the case of DDoS attacks, what you'd do is figure out who has the most to gain from this fear.
Sure there are a few of these attacks that can be attributed to the I-wonder-if-I-can-do-this factor, but now it's in the hands of the people who can really use it (and not get caught.)
Is it irony that DDoS attacks are increasing the government's power over the Internet, or do both cause and effect share the same owner?
(How's that for /.-induced paranoia?) :)
IIRC if you look at the Zapatista incident they had many of their supporters (lots of em in Europe) go and hit a page at the same time. The reason this would not work if you wanted to trick someone into doing is that everyone would have to run that worm within a few minutes of each other and I don't see that being very probable.
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
What about slight modifications to DDoS attacks, whether it be in the signature, data encapsulation or size? How will the detection system know, and how could it detect it versus a large FTP transfer? What if I sent my DDoS to port 21 and made it look like simple FTP requests? Would it then throw up a quick packet filter for all FTP packets? Or it would it automagically recognize all 39 DDoS slaves?
I gotta wonder about some of this stuff .. whether they are marketing a bandaid for a gunshot wound.
-Pat
Now if this software was a Microsoft solution, how many people would spook out at it totally? Or imagine the magnitude of behind the scenes conspiracy?
Be careful what you ask for. You might get it.
"It is a greater offense to steal men's labor, than their clothes"
messages should be propagated to the ISP of the traffic point of origine to not allow more than certain bandwidth to a certain address.
And this would help with the DoS packets with a faked source IP how? I mean, if a skiddy DoS's Guns-R-Us.com with a source address faked as AOL, couldn't this be just as effective to deny service to AOL customers wanting to visit Guns-R-Us as the original attack itself?
And gee, if the DoSer knows how to tell the source to limit traffic, why bother actually generating traceable traffic in the first place - not to mention that the crude attacks are all _D_DoS - The packets don't have a single source. Now if all ISPs made sure that spoofed packets couldn't leave or transit their networks, that would probably have more effect.
Liquor
Liquor
Sanity is a highly overrated commodity.
A router already understands what IP addresses are behind it. *By default*, why should it route traffic from IP's that don't exist on the LAN to the WAN? I am not a TCP/IP expert, but it seems to me that there are no legitimate applications for bounced packets.
(end comment) */ }
(end comment) */ }
[an error occurred while processing this directive]
Nothing new there. I have locks on my doors, a bicycle in my living room and removable-face car stereo because of selfish, malicious idiots.
How many of the headaches that the rest of us have to live with come as a result of the antics of a bunch of jerks and lowlives? That's why I don't understand the inclination to glamorize or defend crackers as "black/white/whatever-hats" or "hacktivists" or to insist that their activities are harmless, if not beneficial.
Unsettling MOTD at my ISP.
Not so interesting, as typical. Because someone may threaten someone with email, email is bugged. Because someone may threaten to blow up Hope College, FBI has Carnivore. It's always been the troublemakers, whether with a socio-political cause or for selfish entertainment that freedoms are leeched.
One needs look no further than the /. lameness filter to see how others have to tow the line because of trolls.
--
A feeling of having made the same mistake before: Deja Foobar
And where would that leave linux, *bsd, etc? Should Alan or Linus be sued for tcp bugs?
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
"The reason this would not work if you wanted to trick someone into doing is that everyone would have to run that worm within a few minutes of each other..."
Not necessarily. Let's say you sent a link to 100,000 of your closest friends. 1% check the link each minute for the next 100 minutes. That's 1000 hits/minute for 1 hour and 40 minutes duration. Not much for Yahoo, but a TON for dinky little me on a DSL line.
Also consider that the S in DoS is "service"--it doesn't have to eat up your bandwidth, it could eat something else. For instance, 10,000 fake orders would eat up service personnel time and don't have to be submitted simultaneously. 65,635 orders can also be placed at any time to overflow an INT in a poorly designed database.
--
324006
Actually, a lot of the simple DoS would be eliminated if people would just filter all their outgoing connections, preventing spoofed IP. If you know what AS is the origination of a certain flood, you can easily modify routing.
If someone can spoof packets to make them appear they don't come from a single AS, you have a much harder time.
The reason most ISPs don't filter their outgoing traffic is that most cisco routers will end up with 100% cpu utilization to do basic filtering on any decent sized pipe. No one is going to drop in a USD 100k GSR/12000 just to filter linerate on a 100baseTX.
Juniper, among others, make routers which can do filtering on the interface cards themselves, so doing linerate filtering on 32 gig-e interfaces is actually possible. However, I think like 95% of the core routers on the net are still cisco, even though Juniper's sales figures are rapidly increasing, so it will be some time before this is fixed.
I've made this point before. There are two parts to the problem. First, fix all the holes that allow substantial server resource consumption from packets with forged source addresses. Second, improve host and network behavior under overload.
The real fix, of course, is to find operating systems vendors liable for selling systems which allow attackers to use OS vulnerabilities to take over a system and use it to attack a third party. Note that disclamers in EULAs don't matter in such cases, because the victim isn't the customer of the OS maker, but an unrelated third party. Someone needs to sue Microsoft for gross negligence over this, for selling mass-market operating systems with vulnerabilities years after the problem was identified.
I suppose human behaving in a criminal fassion are responsible for having the police forces out there, why, it is not surprising that the internet will create some sort of resistance to the script kiddies. Just like your body creates antibodies to kill specific virii, the corporations that rely on the Internet to conduct business will be indirect reason for some sort of protection appearing against unauthorized accesses. Even if in process a stronger identification system is in place and the Internet becomes less anonymous.
You can't handle the truth.
Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online.
Ever hear of Echelon?
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
First of all, all of the major network do not exchange traffic directly over the exchange points, but rather through dedicated peering circuits.
Second of all:
How do they differentiate a DDOS attack or a site being slashdotted ( or does that qualify as a DDOS? :P )
And finally:
So all it does is spit out a sample configuration that has to be actively applied to the routers in question? Even if you place an ACL on the receiving side ( pretending that linerate OC-12 car/acl's is truly feasible ) you have done nothing to mitigate any of the affects on the peers network and the potentially full peering link between the two networks.
This assumes that the DDOS is going to be hitting the servers as well. In fact, several recent DDOS attacks have been not at servers ( since it is no longer usually a single server but many ) but at the infrastructure leading up to those servers.
I wish Arbor well in peddling their proprietary "patent-pending" technology, but don't expect to see this running on any major networks anytime soon.
- ------------
-----------------------------------------------
---
Segmentation Fault ( core dumped )
I mean, you have to admire their courage. If this was real life and not on the internet, a good metaphor for the script kiddy would be the weakest, scrawniest little kid who walks into a dark alley, finds the strongest, nastiest, most well armed individual that he does not know, walking up to him, screaming whatever insult he can come up with and taking a piss on his leg.
Of course, the big difference is, in real life, this kid wouldn't EVER try that again, nor would any other kids who ever heard about it.
It only takes one.
-Restil
Play with my webcams and lights here
I've looked into the DDoS problem quite a bit, for obvious reasons.
You can limit DDoS attempts, and probably eliminate all the threats out there today, but a truly crafty attacker would make a DDoS which simply appears as extra traffic. Slashdot people have a lot of experience with this -- what's the difference between a slashdotting and a worm with "download this page" as the payload, widely distributed?
Another problem with a single, centralized company providing DDoS monitoring, notification, and realtime blackholing is that of course that company becomes a central point of attack. If you can simulate a DDoS attempt from company A to company B, you don't need to actually accomplish the DDoS, which may also shield you from legal liability and violation of AUPs.
"In the age old battle of arms vs. armor, arms always triumph". I'm not saying arbor networks is not a valuable service, but I think it will be very difficult to provide any sort of lasting edge vs. a determined packet kiddie. ud.com among
others are already using distributed load-testing, so it's easy to see how powerful a worm/virus with DDoS payload would be. I believe the Zapatista in Mexico did this as a form of protest/attack, and it was successful, in 1998 or 1999.