Slashdot Mirror

← Back to Stories (view on slashdot.org)

NZ Firm Shows Anti-DDoS Tool

Posted by timothy on from the it's-only-a-model dept.

An Anonymous Coward writes: "ComputerWorld NZ is covering a story about a New Zealand company, Esphion Ltd having coverage at the recent JWID (Joint Warrior Interoperability Demonstration), with their anti-DDoS tool. From the article (here), it looks like it seems to work pretty well."

11 of 110 comments (clear)

  1. Re:I wonder if any anti-DDoS tool would help... by ymgve · · Score: 5, Insightful

    I know you were joking, but the answer is no. The problem with a slashdotting is that it is completely legitimate traffic from tens of thousands of different sites. As far as I figured it out, these guys dynamically block IPs that are identified as DDOS participants (Since a DDOS has far lesser 'attackers' than a slashdotting) and can then make the network more resistant to all the traffic.

    (On the other hand, the slashdot effect often takes place because of the stress on the server, not the connection pipe itself, so a simple referrer denial would limit the effect rather much)

  2. New Kind of Attack by OffTheRack · · Score: 4, Insightful

    If the up-stream blocking controls have security flaws, a new kind of attack might become popular: wall off sites instead of flood them.

    Could be nasty if not done right.

  3. I guess by MrFredBloggs · · Score: 4, Insightful

    someone will target them now, to test their claims!

  4. Re:Nothing really new... by hdparm · · Score: 3, Insightful
    Agreed - commercial use would be possible but to make it meaningful, co-operation between providers is a must. Otherwise it becomes very expensive.

    I guess that's why it's been shown (and probably targeted) to military installations.

  5. Re:But will it let the good stuf through? by Anonymous Coward · · Score: 1, Insightful

    The other assumption is that it's not inspecting packets, which any decent DDOS screener would be doing. Simply looking at how many connections is irrelevant, as many attacks are based on having slightly warped packet headers - ok enough to pass through most things, but messed enough to lock up a specific host/router/what have you. When they're talking about signatures, they don't just mean traffic shape, but entire header signatures. Hence, normal traffic that lacked that matching signature wouldn't be touched.

  6. Re:IP V6 by Slashamatic · · Score: 3, Insightful

    Not if you are on ADSL or broadband (the DOSer's favourite target). You have a permanent link to the net, the links are usually programmed to resestablish themselves automatically. The ISP will usually then allocate a fresh IP address for each connection attempt. Total timout, a few seconds.

  7. Statistical != good by Quixote · · Score: 4, Insightful
    The problem with such 'statistical' tools is that statistics can easily be faked. For example: since they are looking for a 1:1 ratio between SYNs and FINs, all the DDoS initiator has to do is alternate between SYNs and FINs.

    Also, as others have mentioned, there's not much anyone can do about faked source IPs. Egress filtering would be a way to counter this, but for some reason not many ISPs do it.

  8. wrong... Re:Bullshit by fw3 · · Score: 2, Insightful
    DDoS attacks use spoofed addresses. This generates traffic asymetry in the upstream routers (e.g. more SYNs than ACKs come through the routers that are gating the DDoS, more ACKs than SYNs return toward the spoofed IPs. Using this for isolating DDoS sources was presented at the '01 Usenix security symposium.

    This is one way to both identify and isolate the problem at a distance from the DDoS targets, that information can now be used to shut off the flood closer to the sources. How close is a matter of how deeply you arrange your defense.

    I don't know if this is an element of what NetDeflect is using, they mention symmetry of connect creation/teardown. This is more expensive in terms of detection, but also more applicableto the local permiter.

    --
    Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
    bsds are of course just BSD
  9. Re:such a good idea? by Anonymous Coward · · Score: 1, Insightful

    How many DDoS'ed anonymous websites/individuals for each mediatised attack ?

    10 ?
    100 ?
    10000 ?

    DDoS harms the target, and all the others in between this target and the attacker. Think about it next time your emails are slow to download or when a website you're browsing is hardly responding...

  10. Anti-DDoS technology is snake-oil by Anonymous Coward · · Score: 2, Insightful

    Without the cooperation of ever Tier-1 ISP (UUNET, C&W, Qwest, Sprint, etc.) and router/switch vendor (Cisco, Juniper) this technology will never work. You need to have the anti-DDoS devices installed at every ingress point to sample traffic. News Flash! The major ISP's are barely making it financially as it is, why are they going to build out new infrastructure now? Attack traffic causes customer links to burst, thus increasing ISP fees. Dirty little secrect of bandwidth providers: "DoS attacks make them money. Why stop them?"

    If you are a Tier-2 ISP or a military network the tools will tell you the attack is coming from *gasp* the internet. You still will need to call upstream to filter the traffic.

    This is such a useless technology without major backbone cooperation. People just don't get it.

  11. Re:Nothing really new... by espo812 · · Score: 2, Insightful

    If networks would refuse to route traffic that isn't legitimate from their network then this wouldn't be an issue.

    --

    espo