Slashdot Mirror
DDoS Detection Devices
Bistromat writes "The Boston Globe is reporting today that Arbor Networks is marketing a solution to the DDoS attacks that are in vogue with script kiddies today. Their solution is to place filters ("probes") at "peering points" (the points where major ISP's interconnect) to sample and fingerprint traffic so a major DDoS is readily detected and filtered out before the volume becomes unmanageable. " Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online. 31337 d00d!
First of all, all of the major network do not exchange traffic directly over the exchange points, but rather through dedicated peering circuits.
Second of all:
How do they differentiate a DDOS attack or a site being slashdotted ( or does that qualify as a DDOS? :P )
And finally:
So all it does is spit out a sample configuration that has to be actively applied to the routers in question? Even if you place an ACL on the receiving side ( pretending that linerate OC-12 car/acl's is truly feasible ) you have done nothing to mitigate any of the affects on the peers network and the potentially full peering link between the two networks.
This assumes that the DDOS is going to be hitting the servers as well. In fact, several recent DDOS attacks have been not at servers ( since it is no longer usually a single server but many ) but at the infrastructure leading up to those servers.
I wish Arbor well in peddling their proprietary "patent-pending" technology, but don't expect to see this running on any major networks anytime soon.
- ------------
-----------------------------------------------
---
Segmentation Fault ( core dumped )
I mean, you have to admire their courage. If this was real life and not on the internet, a good metaphor for the script kiddy would be the weakest, scrawniest little kid who walks into a dark alley, finds the strongest, nastiest, most well armed individual that he does not know, walking up to him, screaming whatever insult he can come up with and taking a piss on his leg.
Of course, the big difference is, in real life, this kid wouldn't EVER try that again, nor would any other kids who ever heard about it.
It only takes one.
-Restil
Play with my webcams and lights here
I've looked into the DDoS problem quite a bit, for obvious reasons.
You can limit DDoS attempts, and probably eliminate all the threats out there today, but a truly crafty attacker would make a DDoS which simply appears as extra traffic. Slashdot people have a lot of experience with this -- what's the difference between a slashdotting and a worm with "download this page" as the payload, widely distributed?
Another problem with a single, centralized company providing DDoS monitoring, notification, and realtime blackholing is that of course that company becomes a central point of attack. If you can simulate a DDoS attempt from company A to company B, you don't need to actually accomplish the DDoS, which may also shield you from legal liability and violation of AUPs.
"In the age old battle of arms vs. armor, arms always triumph". I'm not saying arbor networks is not a valuable service, but I think it will be very difficult to provide any sort of lasting edge vs. a determined packet kiddie. ud.com among
others are already using distributed load-testing, so it's easy to see how powerful a worm/virus with DDoS payload would be. I believe the Zapatista in Mexico did this as a form of protest/attack, and it was successful, in 1998 or 1999.