Slashdot Mirror

← Back to Stories (view on slashdot.org)

NZ Firm Shows Anti-DDoS Tool

Posted by timothy on from the it's-only-a-model dept.

An Anonymous Coward writes: "ComputerWorld NZ is covering a story about a New Zealand company, Esphion Ltd having coverage at the recent JWID (Joint Warrior Interoperability Demonstration), with their anti-DDoS tool. From the article (here), it looks like it seems to work pretty well."

17 of 110 comments (clear)

  1. I wonder if any anti-DDoS tool would help... by DocSnyder · · Score: 5, Funny

    ...against the /. effect.

    1. Re:I wonder if any anti-DDoS tool would help... by ymgve · · Score: 5, Insightful

      I know you were joking, but the answer is no. The problem with a slashdotting is that it is completely legitimate traffic from tens of thousands of different sites. As far as I figured it out, these guys dynamically block IPs that are identified as DDOS participants (Since a DDOS has far lesser 'attackers' than a slashdotting) and can then make the network more resistant to all the traffic.

      (On the other hand, the slashdot effect often takes place because of the stress on the server, not the connection pipe itself, so a simple referrer denial would limit the effect rather much)

    2. Re:I wonder if any anti-DDoS tool would help... by FrostedWheat · · Score: 3, Funny

      The only known defense against slashdotting is to have a crappy unimportant website.

      Oh wait... nevermind.

  2. it what now? by AndyChrist · · Score: 3, Funny

    "it looks like it seems to work pretty well."

    I guess it's pretty good at appearing to work.

  3. Nothing really new... by juliao · · Score: 4, Interesting
    For those of you who haven't read the article, the tool works, like so many others, in 2 ways: detection and reaction.

    As far as detection goes, they use both traffic signatures and statistical anomaly detection. Meaning that yes, it can effectively block the /. effect (if not too well configured). Any rise in traffic that falls way outside the "usual" traffic pattern gets flagged as an attack.

    Now as far as reaction goes, this is where it gets interesting. Not only can they configure local traffic control devices (router, firewall, etc) to block traffic, they can also escalate the traffic block to the next upstream router/firewall/etc. That, of course, requires some degree of collaboration from the upstream party.

    As an example, this means that if you, at home, detect a SYN flood from a specific netblock, you can not only block it but you can tell your ISP to block it for you, automatically, in real time.

    What remains to be seen is a) whether this is secure at all, or if there are flaws in the block-requesting protocol and algorithm, b) if service providers are willing and able to implement this kind of collaborative system to work on behalf of their users, and c) what kind of investment will service providers need in order to upgrade their routers/firewalls/etc so that they can process a potentially huge number of specific blocking rules for their customers. Yes, every rule requires router CPU, and yes, if you have too many of them, you need a bigger router or things start to slow to a crawl.

    This kind of system is definitely good for you, but will it ever see light in commercial terms?

    --

    free the mallocs!

    1. Re:Nothing really new... by hdparm · · Score: 3, Insightful
      Agreed - commercial use would be possible but to make it meaningful, co-operation between providers is a must. Otherwise it becomes very expensive.

      I guess that's why it's been shown (and probably targeted) to military installations.

  4. New Kind of Attack by OffTheRack · · Score: 4, Insightful

    If the up-stream blocking controls have security flaws, a new kind of attack might become popular: wall off sites instead of flood them.

    Could be nasty if not done right.

  5. I guess by MrFredBloggs · · Score: 4, Insightful

    someone will target them now, to test their claims!

  6. I wouldn't call it blocking the /. effect. by AftanGustur · · Score: 3, Interesting


    As far as detection goes, they use both traffic signatures and statistical anomaly detection. Meaning that yes, it can effectively block the /. effect (if not too well configured).

    From the article:
    The first task is to detect either an anomalous rise in traffic volume, an unusual ratio between connection set-ups and tear-downs - the ratio being 1:1 in legitimate traffic - or a worm signature. The first necessitates careful analysis and subtraction of normal variability of traffic during the day. NetDeflect then identifies the nature of the spurious traffic and puts a filter in its way, or, in the case of a worm, disconnects the specific channel the worm is using.

    Since it can't block all the 4000 source IP addresses of the /. effect if would have to block of the "channel", that is all traffic to the local HTTP port, effectively closing the shop for business .

    It would be stretching it to call that "blocking the attack"

    !! Nobody can block the /. effect !!

    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
  7. interesting but I think it could be done ... by kipple · · Score: 5, Interesting
    ...using no "software" but, say, any standard routing protocol.
    my idea (anyone wants to discuss? mail me: kipple at muug dot it) goes like that:

    - once a traffic sensor (bandwidth sensor? Mtrg?) detects an abnormal increase of traffic coming from a particular source route, it contacts the first router it knows on that path to the flooding source; this first-hop router detects the next-hop router, until the source of the flood itself is found and either shaped (good) or blocked for a while (bad but necessary some times).

    - all other legitimate connections can still pass through and reach the original service (being it a webpage or anything else), and only the flooders are blocked

    - in today's anti-flood systems, it is only prevented for the server to crash under high load, but still the packets are coming down the wire. using the routers won't clog the wire of the victim

    - also, there is no possibility to spoof those 'router communications', as there isn't today a way to fake OSPF or other protocols to fool routers. also cryptographically signed communications between routers could be implemented

    - Plus, if a source route is spoofed, the router won't care (we're talking about low-level routing, not just IP based). So, no DNS spoofing and flooding (and therefore the site will still be able to access basic services - no blocking as in some misdesigned "active" firewalls).

    I think that using this technique it will be possible to avoid many DOS-based attacks, but still not all: what if a LOT of zombies are requesting services from a particular website at a 'normal' rate? I fear thit has no solution: it resembles too much a normal user activity, and it is a problem of designing the services (or providing enough bandwidth, or splitting the service among different sites on different uplinks), and not a routing problem.

    so, thoughts, suggestions?
    --
    -- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
  8. I think by gusnz · · Score: 5, Funny

    we just did!

    --
    <!-- DHTML / JavaScript menu, popup tooltip, Ajax scripts -->
  9. telnet www.esphion.com 80 by jukal · · Score: 5, Funny

    HTTP/1.1 200 OK
    Date: Tue, 28 May 2002 09:41:32 GMT
    Server: Apache/1.3.19 (Unix)
    FrontPage/5.0.2.2510 mod_ssl/2.8.3 OpenSSL/0.9.6b

    I quess their product is so good, they can risk installing the frontpage extension in there. See who else thought so (defaced websites collection & HTTP info).

  10. GPL'd DoS/DDoS detection tool by ckotso · · Score: 3, Interesting

    Readers may want to have a look at a GPL'd DoS/DDoS detection tool under development at the moment, found here.

    --
    -- fsck your brains
  11. I still maintain that its not the best solution... by GnomeKing · · Score: 3, Funny

    The industry standard baseball bat has a much better effect, is longer lasting, does not require uplink co-operation and is considerably cheaper

    Tests have shown that it is especially effective when aimed at the fingers, thus rendering the script kiddy unable to type ./DoS ip

  12. Re:IP V6 by Slashamatic · · Score: 3, Insightful

    Not if you are on ADSL or broadband (the DOSer's favourite target). You have a permanent link to the net, the links are usually programmed to resestablish themselves automatically. The ISP will usually then allocate a fresh IP address for each connection attempt. Total timout, a few seconds.

  13. Statistical != good by Quixote · · Score: 4, Insightful
    The problem with such 'statistical' tools is that statistics can easily be faked. For example: since they are looking for a 1:1 ratio between SYNs and FINs, all the DDoS initiator has to do is alternate between SYNs and FINs.

    Also, as others have mentioned, there's not much anyone can do about faked source IPs. Egress filtering would be a way to counter this, but for some reason not many ISPs do it.

  14. Content Delivery Networks (like Akamai) by kriegsman · · Score: 3, Interesting

    Actually, I think the answer is yes.

    Even though slashdotting brings in a metric buttload of legitimate traffic, a Web site designed for high traffic scalability can include some kind of "surge protection", such as that provided by 'Content Deli ve ry Networks' such as Akamai, Mirror Image, etc.

    Today's CDNs respond in realtime to traffic surges. If there's a sudden upswing in client-side demand, the CDN responds by distributing the content and the server-side load more widely across a larger number of servers, topologically selected to minimize network delays, etc.

    Today the bottleneck with highly intereactive Web sites, even those that use CDNs, comes from the back-end databases that manage the content and drive the site. There's still lo ts of smart work to be done there with intelligent caching and content distribution.

    -Mark Kriegsman
    Founder, Clearway Technologies (which was subsequently purchased by Mirror Image),el