Slashdot Mirror
NZ Firm Shows Anti-DDoS Tool
An Anonymous Coward writes: "ComputerWorld NZ is covering a story about a New Zealand company, Esphion Ltd having coverage at the recent JWID (Joint Warrior Interoperability Demonstration), with their anti-DDoS tool. From the article (here), it looks like it seems to work pretty well."
I just gotta ask: Does it involve sheep somehow?
:)
...against the /. effect.
Just previously we were talking about mafia boy.
A new tool for script kidies to start playing with.
"it looks like it seems to work pretty well."
I guess it's pretty good at appearing to work.
As far as detection goes, they use both traffic signatures and statistical anomaly detection. Meaning that yes, it can effectively block the /. effect (if not too well configured). Any rise in traffic that falls way outside the "usual" traffic pattern gets flagged as an attack.
Now as far as reaction goes, this is where it gets interesting. Not only can they configure local traffic control devices (router, firewall, etc) to block traffic, they can also escalate the traffic block to the next upstream router/firewall/etc. That, of course, requires some degree of collaboration from the upstream party.
As an example, this means that if you, at home, detect a SYN flood from a specific netblock, you can not only block it but you can tell your ISP to block it for you, automatically, in real time.
What remains to be seen is a) whether this is secure at all, or if there are flaws in the block-requesting protocol and algorithm, b) if service providers are willing and able to implement this kind of collaborative system to work on behalf of their users, and c) what kind of investment will service providers need in order to upgrade their routers/firewalls/etc so that they can process a potentially huge number of specific blocking rules for their customers. Yes, every rule requires router CPU, and yes, if you have too many of them, you need a bigger router or things start to slow to a crawl.
This kind of system is definitely good for you, but will it ever see light in commercial terms?
free the mallocs!
If the up-stream blocking controls have security flaws, a new kind of attack might become popular: wall off sites instead of flood them.
Could be nasty if not done right.
I accept that a tool such as this can successfully detect and stop DOS attacks, but is it clever enough to allow for legitimate spikes? If anything, I think that the real challenge is in sorting the binary wheat from the chaff and while the article does make mention of this factor, it doesn't say that normal traffic spikes were ignored and allowed to complete their transactions during an attack.
Anybody using decimal is going to have DDoS problems. Switch to hexadecimal and all your problems go away.
-- Hexadecimal.
someone will target them now, to test their claims!
Tools to defend against SYN floods, fragmentation attacks and the likes have been available for a long time (think SYN cookies, for instance). In that regard, this product is probably a good solution.
:)
But as of today's technology, there is NOTHING you can do if someone manages to overload your link. The only solution for your provider is to shut down your link (nullrouting you, for instance), which doesn't help you much
In the example given in the article, the only thing they do is preventing the DDoS to spread to other branches of their network, which it was unlikely to do anyway. The initial victim network remains down, and there's nothing they can do about that (unfortunately).
As far as detection goes, they use both traffic signatures and statistical anomaly detection. Meaning that yes, it can effectively block the
From the article:
The first task is to detect either an anomalous rise in traffic volume, an unusual ratio between connection set-ups and tear-downs - the ratio being 1:1 in legitimate traffic - or a worm signature. The first necessitates careful analysis and subtraction of normal variability of traffic during the day. NetDeflect then identifies the nature of the spurious traffic and puts a filter in its way, or, in the case of a worm, disconnects the specific channel the worm is using.
Since it can't block all the 4000 source IP addresses of the /. effect if would have to block of the "channel", that is all traffic to the local HTTP port, effectively closing the shop for business .
It would be stretching it to call that "blocking the attack"
!! Nobody can block the /. effect !!
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
my idea (anyone wants to discuss? mail me: kipple at muug dot it) goes like that:
- once a traffic sensor (bandwidth sensor? Mtrg?) detects an abnormal increase of traffic coming from a particular source route, it contacts the first router it knows on that path to the flooding source; this first-hop router detects the next-hop router, until the source of the flood itself is found and either shaped (good) or blocked for a while (bad but necessary some times).
- all other legitimate connections can still pass through and reach the original service (being it a webpage or anything else), and only the flooders are blocked
- in today's anti-flood systems, it is only prevented for the server to crash under high load, but still the packets are coming down the wire. using the routers won't clog the wire of the victim
- also, there is no possibility to spoof those 'router communications', as there isn't today a way to fake OSPF or other protocols to fool routers. also cryptographically signed communications between routers could be implemented
- Plus, if a source route is spoofed, the router won't care (we're talking about low-level routing, not just IP based). So, no DNS spoofing and flooding (and therefore the site will still be able to access basic services - no blocking as in some misdesigned "active" firewalls).
I think that using this technique it will be possible to avoid many DOS-based attacks, but still not all: what if a LOT of zombies are requesting services from a particular website at a 'normal' rate? I fear thit has no solution: it resembles too much a normal user activity, and it is a problem of designing the services (or providing enough bandwidth, or splitting the service among different sites on different uplinks), and not a routing problem.
so, thoughts, suggestions?-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
i wonder if they tested by hitting big ecommerce sites for 6 straight days in order to develop the tool
How would you propose to stop forged DDOS from netblock 0/0? Since this is how most DDOS tools operate, and one would assume that any credible attacker was able to send forged packets onto the net, I'd be very interested to know this. You can't solve the problem with upstream blocking unless you are willing to cut off a possibly very large portion of the net.
My proposal would be a giant lookup hash by IP, storing the number of active sessions between the protected network and the IP (or a CAM, but that may be kind of expensive). On receiving a SYN packet in "attack" mode, look up the IP address.
Now, if the number of sessions exceeds attack parameter, drop it and mark the IP as "attacking". Time out the IPs after a while to stop the hash from being huge.
If the number of sessions is zero, send a SYN-ACK, and mark the IP as "possible client". If the client responds with appropriate sequence numbers, proxy the tcp session to the target, forward the new packet, and increment the number of active sessions. If the client retransmits early, flag the IP as an attacker.
Now that is not perfect, but it will stop same IP-multiple session attacks, as well as making it harder on DDOS tools (must retransmit, but not too fast, limited to receivable IP addresses), which increases memory load, but most importantly means you can't forge addresses, so netblock blocks will work.
I don't care about DOS attacks. If there's someone out there who still hasn't upgraded to Windows, they deserve whatever they get.
"You're just scared like a little white pussy. I'll fuck you till you love me, you faggot!"
The other issue is variable IP. Many broadband users are given a variable IP to stop their customers from running servers. Once a user has bust a quote for a given IP address, they can just reconnect and probably get a new IP assigned and repeat the process. They may get the ISP address pool blocked, but that is an issue by itself if the ISP is big enough.
we just did!
<!-- DHTML / JavaScript menu, popup tooltip, Ajax scripts -->
HTTP/1.1 200 OK
Date: Tue, 28 May 2002 09:41:32 GMT
Server: Apache/1.3.19 (Unix)
FrontPage/5.0.2.2510 mod_ssl/2.8.3 OpenSSL/0.9.6b
I quess their product is so good, they can risk installing the frontpage extension in there. See who else thought so (defaced websites collection & HTTP info).
Readers may want to have a look at a GPL'd DoS/DDoS detection tool under development at the moment, found here.
-- fsck your brains
The industry standard baseball bat has a much better effect, is longer lasting, does not require uplink co-operation and is considerably cheaper
./DoS ip
Tests have shown that it is especially effective when aimed at the fingers, thus rendering the script kiddy unable to type
I find this very amusing that the parent post is modded redundant.
/. would be posting uninsiteful drivel....oh wait. But I digress.
Like anyone ever clicks through to the actual articles and reads them. I salute you, Great American Hero---->Pasting-the-General-Idea-of-the-Story- Man! If it wasn't for you, 75% of
Actually, I think the redundant mod should be shot, same as over-rated. We need new mods:Duh, No shit, and Silly Flamer. Those could work just as well as under/over-rated.
Sent from your iPad.
Dimwit.
When I first read this, I thought, "hooray." Every sysadmin's wet dream, to be sure. Never need worry about DDOS attacks again.
But then I reconsidered.
If you look at the history of DDOS attacks, you will see that the targets of said attacks have typically been huge media conglomerates and corporations, while the attackers have always been "the little guy," Joe Hacker, the one who doesn't have his own TV channel.
DDOS is a valid method of speech, and should be protected by the First Amendment.
Karma: Good (despite my invention of the Karma: sig)
Also, as others have mentioned, there's not much anyone can do about faked source IPs. Egress filtering would be a way to counter this, but for some reason not many ISPs do it.
don't the participating countries (US, Australia, New Zealand, Canada and the UK,) sound suspiciously like the prime Echelon members?
Watch the Teaser Trailer for "The Lightning Thief" Her
An interesting read. Recommendations for the Protection against DDOS found at the task force sicheres internet )
as katoo, recently *vbg*
/.ing somthing like a DDoS-attack?
- I began to think, is
*l0l*
regards,
large
This is one way to both identify and isolate the problem at a distance from the DDoS targets, that information can now be used to shut off the flood closer to the sources. How close is a matter of how deeply you arrange your defense.
I don't know if this is an element of what NetDeflect is using, they mention symmetry of connect creation/teardown. This is more expensive in terms of detection, but also more applicableto the local permiter.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Actually, I think the answer is yes.
Even though slashdotting brings in a metric buttload of legitimate traffic, a Web site designed for high traffic scalability can include some kind of "surge protection", such as that provided by 'Content Deli ve ry Networks' such as Akamai, Mirror Image, etc.
Today's CDNs respond in realtime to traffic surges. If there's a sudden upswing in client-side demand, the CDN responds by distributing the content and the server-side load more widely across a larger number of servers, topologically selected to minimize network delays, etc.
Today the bottleneck with highly intereactive Web sites, even those that use CDNs, comes from the back-end databases that manage the content and drive the site. There's still lo ts of smart work to be done there with intelligent caching and content distribution.
-Mark Kriegsman
Founder, Clearway Technologies (which was subsequently purchased by Mirror Image),el
Without the cooperation of ever Tier-1 ISP (UUNET, C&W, Qwest, Sprint, etc.) and router/switch vendor (Cisco, Juniper) this technology will never work. You need to have the anti-DDoS devices installed at every ingress point to sample traffic. News Flash! The major ISP's are barely making it financially as it is, why are they going to build out new infrastructure now? Attack traffic causes customer links to burst, thus increasing ISP fees. Dirty little secrect of bandwidth providers: "DoS attacks make them money. Why stop them?"
If you are a Tier-2 ISP or a military network the tools will tell you the attack is coming from *gasp* the internet. You still will need to call upstream to filter the traffic.
This is such a useless technology without major backbone cooperation. People just don't get it.
A combination LDAP client and baseball bat?
I know more than you drink.
Errors all over the site.. but like we care. Have fun slashdotting a E3 Babes Page
If this utility detects an over abundance of traffic from a single IP address and flags it as a DoS attacker then wouldn't it seem like a large corp or school district using NAT would be blocked from a server running this util?
Picture this,
A large corp sends an e-mail to all users with a link to a server running this utility. 3000 people visit the link within the same day. All traffic is NAT'd, so to the server running the DoS utility sees all this traffic coming from the same IP and then all users on the network are blocked.
Is this a possability?
-Tolerate my intolerance
http://www.zeus.com/news/articles/020307-001/
I don't think it attempts to filter out all of the DDOS traffic specifically. I think it just tries to ensure that close to the maximum rate of requests can still be served under extraordinary load by quickly binning excess connections. It may even have some prioritisation of who gets binned.
It can also bin requests with particular signatures associated with known attacks.
"Every good boy deserves fudge"
GPG: 66F0 CD0A 9EC6 367F C3B4 7EB0 C76D CFBE 86CF 21E4
if someone floods your ip, there is no escape, it must be understood that it's not the server being packeted, it's the line, so unless you have IP control, can't do much about it. I would DROP with netfilter and hope the attacker doesn't have a phatter pipe then me.
I'm sorry but you cannot stop a DDoS attack when you have 100+ locations attacking a target with spoofed source addresses. Sure... you might be able to deny everything but your internet provider's router and most likely several upstream routers before that are going to get rocked.
www.captusnetworks.com
Their tool will (if you configure it properly).
All you would have to do is generate Port 80 SYN packets to, for example, yahoo.com with the from address spoofed as the victims machine (easy enough to do with a bit of coding and any W2K, WXP, Linux, or Unix machine). Once Yahoo has generated enough crap requests to the victim's machine the filter will start blocking SYN/ACK requests from yahoo.com - which will prevent the victim from establishing a connection.
Point this attack at a proxy and you could take down the site for an entire company.
Randomize your attack list and make it sufficiently large and you could take down the filter by making it run out of memory - if you take down the filter (which is basically a dynamic firewall) and you've taken down the victim... end of story.
It's called a DRDoS (Distributed Reflexive Denial of Service) attack... this company, and the New Zealand Military for that matter, obviously hasn't ever heard of it.
Captus networks (http://www.captusnetworks.com), Mazu, and Arbor all put out Anti-DDoS devices last year.
All three of them have been struggling because the market for these devices just isn't large enough to even support one company, and especially not three or four. Most people don't know and don't care what a DDoS attack is. The odds of a website getting attacked is pretty slim and most attacks don't last more than a few hours at a time.
I believe the device from Captus Networks (Capt-IO, if I remember) had some pretty clever programming to recognize DDoS attacks, whether intentional or not (bandwidth hogging, slashdotting, etc). I don't know about the others.
NetDeflect is very, very intelligent. Quoting from http://www.esphion.com/techn.html "Notification Mode Non-intrusively inspects network packets, identifies threats and alerts administrators with detailed information about the attack. Active Mode Performs fine-grained, wire-speed analysis and, if necessary, filtering of every single packet. Controller Mode In addition to inspection or filtering, Controller Mode also utilizes other network devices, for example up-stream routers, to implement additional filters. This mode is ideally suited to accurately detect the attack (close to target), filter out worms and signature- based attacks, while utilizing filtering capabilities higher up in the network where there is still excess bandwidth: The first complete DoS solution for smaller network pipes." You can see That it is also very powerful, especially the wirespeed analysis. I have actually seen it in action, at various showings, and demonstrations. In each iteration it has grown more powerful, and lead to many spinoff products as a result. One of the nice features was that it could be specially re-programmed on the spot to introduce brand new filtering techniques. Ah, and one thing, a lot of people are talking about the blocking of addresses. Think bigger, massive micromanagement, like blocking address x.x.x.x on port 1414 going to a certain destination addresses port, with the protocol type x, and nothing else...like legitimate traffic from the same address. Also, with wire speed analysis, imagine the amount of analysis of each packet that you can do, even the contents perhaps?