Slashdot Mirror

← Back to Stories (view on slashdot.org)

NZ Firm Shows Anti-DDoS Tool

Posted by timothy on from the it's-only-a-model dept.

An Anonymous Coward writes: "ComputerWorld NZ is covering a story about a New Zealand company, Esphion Ltd having coverage at the recent JWID (Joint Warrior Interoperability Demonstration), with their anti-DDoS tool. From the article (here), it looks like it seems to work pretty well."

9 of 110 comments (clear)

  1. I wonder if any anti-DDoS tool would help... by DocSnyder · · Score: 5, Funny

    ...against the /. effect.

    1. Re:I wonder if any anti-DDoS tool would help... by ymgve · · Score: 5, Insightful

      I know you were joking, but the answer is no. The problem with a slashdotting is that it is completely legitimate traffic from tens of thousands of different sites. As far as I figured it out, these guys dynamically block IPs that are identified as DDOS participants (Since a DDOS has far lesser 'attackers' than a slashdotting) and can then make the network more resistant to all the traffic.

      (On the other hand, the slashdot effect often takes place because of the stress on the server, not the connection pipe itself, so a simple referrer denial would limit the effect rather much)

  2. Nothing really new... by juliao · · Score: 4, Interesting
    For those of you who haven't read the article, the tool works, like so many others, in 2 ways: detection and reaction.

    As far as detection goes, they use both traffic signatures and statistical anomaly detection. Meaning that yes, it can effectively block the /. effect (if not too well configured). Any rise in traffic that falls way outside the "usual" traffic pattern gets flagged as an attack.

    Now as far as reaction goes, this is where it gets interesting. Not only can they configure local traffic control devices (router, firewall, etc) to block traffic, they can also escalate the traffic block to the next upstream router/firewall/etc. That, of course, requires some degree of collaboration from the upstream party.

    As an example, this means that if you, at home, detect a SYN flood from a specific netblock, you can not only block it but you can tell your ISP to block it for you, automatically, in real time.

    What remains to be seen is a) whether this is secure at all, or if there are flaws in the block-requesting protocol and algorithm, b) if service providers are willing and able to implement this kind of collaborative system to work on behalf of their users, and c) what kind of investment will service providers need in order to upgrade their routers/firewalls/etc so that they can process a potentially huge number of specific blocking rules for their customers. Yes, every rule requires router CPU, and yes, if you have too many of them, you need a bigger router or things start to slow to a crawl.

    This kind of system is definitely good for you, but will it ever see light in commercial terms?

    --

    free the mallocs!

  3. New Kind of Attack by OffTheRack · · Score: 4, Insightful

    If the up-stream blocking controls have security flaws, a new kind of attack might become popular: wall off sites instead of flood them.

    Could be nasty if not done right.

  4. I guess by MrFredBloggs · · Score: 4, Insightful

    someone will target them now, to test their claims!

  5. interesting but I think it could be done ... by kipple · · Score: 5, Interesting
    ...using no "software" but, say, any standard routing protocol.
    my idea (anyone wants to discuss? mail me: kipple at muug dot it) goes like that:

    - once a traffic sensor (bandwidth sensor? Mtrg?) detects an abnormal increase of traffic coming from a particular source route, it contacts the first router it knows on that path to the flooding source; this first-hop router detects the next-hop router, until the source of the flood itself is found and either shaped (good) or blocked for a while (bad but necessary some times).

    - all other legitimate connections can still pass through and reach the original service (being it a webpage or anything else), and only the flooders are blocked

    - in today's anti-flood systems, it is only prevented for the server to crash under high load, but still the packets are coming down the wire. using the routers won't clog the wire of the victim

    - also, there is no possibility to spoof those 'router communications', as there isn't today a way to fake OSPF or other protocols to fool routers. also cryptographically signed communications between routers could be implemented

    - Plus, if a source route is spoofed, the router won't care (we're talking about low-level routing, not just IP based). So, no DNS spoofing and flooding (and therefore the site will still be able to access basic services - no blocking as in some misdesigned "active" firewalls).

    I think that using this technique it will be possible to avoid many DOS-based attacks, but still not all: what if a LOT of zombies are requesting services from a particular website at a 'normal' rate? I fear thit has no solution: it resembles too much a normal user activity, and it is a problem of designing the services (or providing enough bandwidth, or splitting the service among different sites on different uplinks), and not a routing problem.

    so, thoughts, suggestions?
    --
    -- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
  6. I think by gusnz · · Score: 5, Funny

    we just did!

    --
    <!-- DHTML / JavaScript menu, popup tooltip, Ajax scripts -->
  7. telnet www.esphion.com 80 by jukal · · Score: 5, Funny

    HTTP/1.1 200 OK
    Date: Tue, 28 May 2002 09:41:32 GMT
    Server: Apache/1.3.19 (Unix)
    FrontPage/5.0.2.2510 mod_ssl/2.8.3 OpenSSL/0.9.6b

    I quess their product is so good, they can risk installing the frontpage extension in there. See who else thought so (defaced websites collection & HTTP info).

  8. Statistical != good by Quixote · · Score: 4, Insightful
    The problem with such 'statistical' tools is that statistics can easily be faked. For example: since they are looking for a 1:1 ratio between SYNs and FINs, all the DDoS initiator has to do is alternate between SYNs and FINs.

    Also, as others have mentioned, there's not much anyone can do about faked source IPs. Egress filtering would be a way to counter this, but for some reason not many ISPs do it.