Slashdot Mirror

← Back to Stories (view on slashdot.org)

DDoS Detection Devices

Posted by CmdrTaco on from the stuff-to-think-about dept.

Bistromat writes "The Boston Globe is reporting today that Arbor Networks is marketing a solution to the DDoS attacks that are in vogue with script kiddies today. Their solution is to place filters ("probes") at "peering points" (the points where major ISP's interconnect) to sample and fingerprint traffic so a major DDoS is readily detected and filtered out before the volume becomes unmanageable. " Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online. 31337 d00d!

7 of 107 comments (clear)

  1. If everyone filters their outgoing pipes... by rdl · · Score: 3

    Actually, a lot of the simple DoS would be eliminated if people would just filter all their outgoing connections, preventing spoofed IP. If you know what AS is the origination of a certain flood, you can easily modify routing.

    If someone can spoof packets to make them appear they don't come from a single AS, you have a much harder time.

    The reason most ISPs don't filter their outgoing traffic is that most cisco routers will end up with 100% cpu utilization to do basic filtering on any decent sized pipe. No one is going to drop in a USD 100k GSR/12000 just to filter linerate on a 100baseTX.

    Juniper, among others, make routers which can do filtering on the interface cards themselves, so doing linerate filtering on 32 gig-e interfaces is actually possible. However, I think like 95% of the core routers on the net are still cisco, even though Juniper's sales figures are rapidly increasing, so it will be some time before this is fixed.

  2. Re:Limit, but not eliminate, DDoS by Animats · · Score: 3
    You can limit DDoS attempts, and probably eliminate all the threats out there today, but a truly crafty attacker would make a DDoS which simply appears as extra traffic.

    I've made this point before. There are two parts to the problem. First, fix all the holes that allow substantial server resource consumption from packets with forged source addresses. Second, improve host and network behavior under overload.

    The real fix, of course, is to find operating systems vendors liable for selling systems which allow attackers to use OS vulnerabilities to take over a system and use it to attack a third party. Note that disclamers in EULAs don't matter in such cases, because the victim isn't the customer of the OS maker, but an unrelated third party. Someone needs to sue Microsoft for gross negligence over this, for selling mass-market operating systems with vulnerabilities years after the problem was identified.

  3. 31337 d00d by roman_mir · · Score: 3

    I suppose human behaving in a criminal fassion are responsible for having the police forces out there, why, it is not surprising that the internet will create some sort of resistance to the script kiddies. Just like your body creates antibodies to kill specific virii, the corporations that rely on the Internet to conduct business will be indirect reason for some sort of protection appearing against unauthorized accesses. Even if in process a stronger identification system is in place and the Internet becomes less anonymous.

    --
    You can't handle the truth.
  4. What makes you think they don't? by Archangel+Michael · · Score: 3

    Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online.

    Ever hear of Echelon?

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  5. Not very useful by CoreDump · · Score: 4
    Unfortunately, inserting probes into the "exchange points where major networks interconnect" isn't going to accomplish much.

    First of all, all of the major network do not exchange traffic directly over the exchange points, but rather through dedicated peering circuits.

    Second of all:

    By regularly sampling network traffic statistics, Arbor's technology establishes a dynamic profile of typical traffic patterns in different zones of the network. Sampling against this dynamic baseline allows the solution to flag anomalies.

    How do they differentiate a DDOS attack or a site being slashdotted ( or does that qualify as a DDOS? :P )

    And finally:

    Finally, Arbor's DoS solution uses attack fingerprints to suggest access control list (ACL) entries and/or committed access rate (CAR) parameters, which a network engineer can implement to filter out the attack.

    So all it does is spit out a sample configuration that has to be actively applied to the routers in question? Even if you place an ACL on the receiving side ( pretending that linerate OC-12 car/acl's is truly feasible ) you have done nothing to mitigate any of the affects on the peers network and the potentially full peering link between the two networks.

    This assumes that the DDOS is going to be hitting the servers as well. In fact, several recent DDOS attacks have been not at servers ( since it is no longer usually a single server but many ) but at the infrastructure leading up to those servers.

    I wish Arbor well in peddling their proprietary "patent-pending" technology, but don't expect to see this running on any major networks anytime soon.

    ------------------------------------------------ ------------

    --

    ---
    Segmentation Fault ( core dumped )

  6. Gotta love the script kiddies. by Restil · · Score: 4

    I mean, you have to admire their courage. If this was real life and not on the internet, a good metaphor for the script kiddy would be the weakest, scrawniest little kid who walks into a dark alley, finds the strongest, nastiest, most well armed individual that he does not know, walking up to him, screaming whatever insult he can come up with and taking a piss on his leg.

    Of course, the big difference is, in real life, this kid wouldn't EVER try that again, nor would any other kids who ever heard about it.

    It only takes one.

    -Restil

    --
    Play with my webcams and lights here
  7. Limit, but not eliminate, DDoS by rdl · · Score: 5

    I've looked into the DDoS problem quite a bit, for obvious reasons.

    You can limit DDoS attempts, and probably eliminate all the threats out there today, but a truly crafty attacker would make a DDoS which simply appears as extra traffic. Slashdot people have a lot of experience with this -- what's the difference between a slashdotting and a worm with "download this page" as the payload, widely distributed?

    Another problem with a single, centralized company providing DDoS monitoring, notification, and realtime blackholing is that of course that company becomes a central point of attack. If you can simulate a DDoS attempt from company A to company B, you don't need to actually accomplish the DDoS, which may also shield you from legal liability and violation of AUPs.

    "In the age old battle of arms vs. armor, arms always triumph". I'm not saying arbor networks is not a valuable service, but I think it will be very difficult to provide any sort of lasting edge vs. a determined packet kiddie. ud.com among
    others are already using distributed load-testing, so it's easy to see how powerful a worm/virus with DDoS payload would be. I believe the Zapatista in Mexico did this as a form of protest/attack, and it was successful, in 1998 or 1999.