Slashdot Mirror
NZ Firm Shows Anti-DDoS Tool
An Anonymous Coward writes: "ComputerWorld NZ is covering a story about a New Zealand company, Esphion Ltd having coverage at the recent JWID (Joint Warrior Interoperability Demonstration), with their anti-DDoS tool. From the article (here), it looks like it seems to work pretty well."
...against the /. effect.
"it looks like it seems to work pretty well."
I guess it's pretty good at appearing to work.
As far as detection goes, they use both traffic signatures and statistical anomaly detection. Meaning that yes, it can effectively block the /. effect (if not too well configured). Any rise in traffic that falls way outside the "usual" traffic pattern gets flagged as an attack.
Now as far as reaction goes, this is where it gets interesting. Not only can they configure local traffic control devices (router, firewall, etc) to block traffic, they can also escalate the traffic block to the next upstream router/firewall/etc. That, of course, requires some degree of collaboration from the upstream party.
As an example, this means that if you, at home, detect a SYN flood from a specific netblock, you can not only block it but you can tell your ISP to block it for you, automatically, in real time.
What remains to be seen is a) whether this is secure at all, or if there are flaws in the block-requesting protocol and algorithm, b) if service providers are willing and able to implement this kind of collaborative system to work on behalf of their users, and c) what kind of investment will service providers need in order to upgrade their routers/firewalls/etc so that they can process a potentially huge number of specific blocking rules for their customers. Yes, every rule requires router CPU, and yes, if you have too many of them, you need a bigger router or things start to slow to a crawl.
This kind of system is definitely good for you, but will it ever see light in commercial terms?
free the mallocs!
If the up-stream blocking controls have security flaws, a new kind of attack might become popular: wall off sites instead of flood them.
Could be nasty if not done right.
I accept that a tool such as this can successfully detect and stop DOS attacks, but is it clever enough to allow for legitimate spikes? If anything, I think that the real challenge is in sorting the binary wheat from the chaff and while the article does make mention of this factor, it doesn't say that normal traffic spikes were ignored and allowed to complete their transactions during an attack.
someone will target them now, to test their claims!
Tools to defend against SYN floods, fragmentation attacks and the likes have been available for a long time (think SYN cookies, for instance). In that regard, this product is probably a good solution.
:)
But as of today's technology, there is NOTHING you can do if someone manages to overload your link. The only solution for your provider is to shut down your link (nullrouting you, for instance), which doesn't help you much
In the example given in the article, the only thing they do is preventing the DDoS to spread to other branches of their network, which it was unlikely to do anyway. The initial victim network remains down, and there's nothing they can do about that (unfortunately).
As far as detection goes, they use both traffic signatures and statistical anomaly detection. Meaning that yes, it can effectively block the
From the article:
The first task is to detect either an anomalous rise in traffic volume, an unusual ratio between connection set-ups and tear-downs - the ratio being 1:1 in legitimate traffic - or a worm signature. The first necessitates careful analysis and subtraction of normal variability of traffic during the day. NetDeflect then identifies the nature of the spurious traffic and puts a filter in its way, or, in the case of a worm, disconnects the specific channel the worm is using.
Since it can't block all the 4000 source IP addresses of the /. effect if would have to block of the "channel", that is all traffic to the local HTTP port, effectively closing the shop for business .
It would be stretching it to call that "blocking the attack"
!! Nobody can block the /. effect !!
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
my idea (anyone wants to discuss? mail me: kipple at muug dot it) goes like that:
- once a traffic sensor (bandwidth sensor? Mtrg?) detects an abnormal increase of traffic coming from a particular source route, it contacts the first router it knows on that path to the flooding source; this first-hop router detects the next-hop router, until the source of the flood itself is found and either shaped (good) or blocked for a while (bad but necessary some times).
- all other legitimate connections can still pass through and reach the original service (being it a webpage or anything else), and only the flooders are blocked
- in today's anti-flood systems, it is only prevented for the server to crash under high load, but still the packets are coming down the wire. using the routers won't clog the wire of the victim
- also, there is no possibility to spoof those 'router communications', as there isn't today a way to fake OSPF or other protocols to fool routers. also cryptographically signed communications between routers could be implemented
- Plus, if a source route is spoofed, the router won't care (we're talking about low-level routing, not just IP based). So, no DNS spoofing and flooding (and therefore the site will still be able to access basic services - no blocking as in some misdesigned "active" firewalls).
I think that using this technique it will be possible to avoid many DOS-based attacks, but still not all: what if a LOT of zombies are requesting services from a particular website at a 'normal' rate? I fear thit has no solution: it resembles too much a normal user activity, and it is a problem of designing the services (or providing enough bandwidth, or splitting the service among different sites on different uplinks), and not a routing problem.
so, thoughts, suggestions?-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
i wonder if they tested by hitting big ecommerce sites for 6 straight days in order to develop the tool
How would you propose to stop forged DDOS from netblock 0/0? Since this is how most DDOS tools operate, and one would assume that any credible attacker was able to send forged packets onto the net, I'd be very interested to know this. You can't solve the problem with upstream blocking unless you are willing to cut off a possibly very large portion of the net.
My proposal would be a giant lookup hash by IP, storing the number of active sessions between the protected network and the IP (or a CAM, but that may be kind of expensive). On receiving a SYN packet in "attack" mode, look up the IP address.
Now, if the number of sessions exceeds attack parameter, drop it and mark the IP as "attacking". Time out the IPs after a while to stop the hash from being huge.
If the number of sessions is zero, send a SYN-ACK, and mark the IP as "possible client". If the client responds with appropriate sequence numbers, proxy the tcp session to the target, forward the new packet, and increment the number of active sessions. If the client retransmits early, flag the IP as an attacker.
Now that is not perfect, but it will stop same IP-multiple session attacks, as well as making it harder on DDOS tools (must retransmit, but not too fast, limited to receivable IP addresses), which increases memory load, but most importantly means you can't forge addresses, so netblock blocks will work.
The other issue is variable IP. Many broadband users are given a variable IP to stop their customers from running servers. Once a user has bust a quote for a given IP address, they can just reconnect and probably get a new IP assigned and repeat the process. They may get the ISP address pool blocked, but that is an issue by itself if the ISP is big enough.
we just did!
<!-- DHTML / JavaScript menu, popup tooltip, Ajax scripts -->
HTTP/1.1 200 OK
Date: Tue, 28 May 2002 09:41:32 GMT
Server: Apache/1.3.19 (Unix)
FrontPage/5.0.2.2510 mod_ssl/2.8.3 OpenSSL/0.9.6b
I quess their product is so good, they can risk installing the frontpage extension in there. See who else thought so (defaced websites collection & HTTP info).
Readers may want to have a look at a GPL'd DoS/DDoS detection tool under development at the moment, found here.
-- fsck your brains
The industry standard baseball bat has a much better effect, is longer lasting, does not require uplink co-operation and is considerably cheaper
./DoS ip
Tests have shown that it is especially effective when aimed at the fingers, thus rendering the script kiddy unable to type
I find this very amusing that the parent post is modded redundant.
/. would be posting uninsiteful drivel....oh wait. But I digress.
Like anyone ever clicks through to the actual articles and reads them. I salute you, Great American Hero---->Pasting-the-General-Idea-of-the-Story- Man! If it wasn't for you, 75% of
Actually, I think the redundant mod should be shot, same as over-rated. We need new mods:Duh, No shit, and Silly Flamer. Those could work just as well as under/over-rated.
Sent from your iPad.
Also, as others have mentioned, there's not much anyone can do about faked source IPs. Egress filtering would be a way to counter this, but for some reason not many ISPs do it.
An interesting read. Recommendations for the Protection against DDOS found at the task force sicheres internet )
This is one way to both identify and isolate the problem at a distance from the DDoS targets, that information can now be used to shut off the flood closer to the sources. How close is a matter of how deeply you arrange your defense.
I don't know if this is an element of what NetDeflect is using, they mention symmetry of connect creation/teardown. This is more expensive in terms of detection, but also more applicableto the local permiter.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Actually, I think the answer is yes.
Even though slashdotting brings in a metric buttload of legitimate traffic, a Web site designed for high traffic scalability can include some kind of "surge protection", such as that provided by 'Content Deli ve ry Networks' such as Akamai, Mirror Image, etc.
Today's CDNs respond in realtime to traffic surges. If there's a sudden upswing in client-side demand, the CDN responds by distributing the content and the server-side load more widely across a larger number of servers, topologically selected to minimize network delays, etc.
Today the bottleneck with highly intereactive Web sites, even those that use CDNs, comes from the back-end databases that manage the content and drive the site. There's still lo ts of smart work to be done there with intelligent caching and content distribution.
-Mark Kriegsman
Founder, Clearway Technologies (which was subsequently purchased by Mirror Image),el
Without the cooperation of ever Tier-1 ISP (UUNET, C&W, Qwest, Sprint, etc.) and router/switch vendor (Cisco, Juniper) this technology will never work. You need to have the anti-DDoS devices installed at every ingress point to sample traffic. News Flash! The major ISP's are barely making it financially as it is, why are they going to build out new infrastructure now? Attack traffic causes customer links to burst, thus increasing ISP fees. Dirty little secrect of bandwidth providers: "DoS attacks make them money. Why stop them?"
If you are a Tier-2 ISP or a military network the tools will tell you the attack is coming from *gasp* the internet. You still will need to call upstream to filter the traffic.
This is such a useless technology without major backbone cooperation. People just don't get it.
Comments like yours are exactly why I stopped reading Slashdot*. You may have visited New Zealand but that doesn't stop you being retarded and writing stupid brainless comments.
(* The only reason I'm posting here is because a friend sent me the link.)