Beyond Firewalls — Internet Militarization

angry tapir writes "One of the discussions at the Source Boston Security Showcase has been the militarization of the Internet. Governments looking to silence critics and stymie opposition have added DDOS attacks to their censoring methods, according to Jose Nazario, senior security researcher at Arbor Networks, with international political situations spawning DDOS attacks."

How dare the military invade our internet

[Flibberdy]

It's not like they started it or... Oh wait... D'oh

Re:How dare the military invade our internet

Whoa, wait, the US government is DDOS'ing? That doesn't sound right.

And so...

[Soutar]

DMZ became null.

Militarization?

[morgan_greywolf]

Oh, come on. This is just more hysteria manufactured by people looking for money, fame and fortune.

A DDOS attack is hardly the same the thing as a shell and mortar attack. For one thing, a DDOS doesn't do, and by definition, can't do permanent damage, nor can it kill people.

Can we all just lay off the hype machine a little bit?

Re:Militarization?

Fair and Balanced News for Nerds

Re:Militarization?

Have you ever had your server vaporised by slashdot paramilitary forces?

Re:Militarization?

[Chrisq]

Sadly I think that many people would be more upset about a day's outage of their bank than a real shell and mortar attack in Somalia, Iraq, or the Gaza Strip.

Re:Militarization?

[morgan_greywolf]

Sadly I think that many people would be more upset about a day's outage of their bank than a real shell and mortar attack in Somalia, Iraq, or the Gaza Strip.

Well I think that many people would be a lot more upset about a shell and mortar attack on any city in their own country than a day's outage at their bank. I speak from experience.

Re:Militarization?

[Chrisq]

Surprisingly I think not always, it could depend where it is in the city. I have spoken to people who live in cities with gang-land areas who see attacks (drive by shootings, houses burned out, etc.) as though it was talking about somewhere the other side of the world. If one gang fired a mortar at another's stronghold this probably would not worry them too much.

Re:Militarization?

[morgan_greywolf]

Well, there's a large difference between gang-land violence and an actual military mortar attack. For one, the gangs, at the most, have AK-9s and Uzis and are primarily aiming to kill each other. A rocket-propelled grenade attack by an organized militia will generally be far more destructive and cost many more lives.

Besides, gang-land areas are probably among the last places a military or paramilitary attack by the enemies of the U.S. are going to attack. I'm sure they could think of much more valuable targets.

Re:Militarization?

[peragrin]

Well then do you consider Hamas a gang or a military. They fire hundreds a rockets yet rarely cause deaths with said attacks.

According to your statement they are no more than a street gang.

Re:Militarization?

Oh, come on. This is just more hysteria manufactured by people looking for money, fame and fortune.

A DDOS attack is hardly the same the thing as a shell and mortar attack. For one thing, a DDOS doesn't do, and by definition, can't do permanent damage, nor can it kill people.

Can we all just lay off the hype machine a little bit?

Of course a DDOS attack on an IP range wouldn't cause any harm to people's health.

Not even if they were in hospital, and their internet connected monitoring equipment (connected so that it could be monitored remotely) was within that IP range...

Re:Militarization?

[morgan_greywolf]

Life critical monitoring equipment is never plugged into the Internet.

Re:Militarization?

[morgan_greywolf]

Nice strawman you got there.

To begin with, I've visited and even lived in gang-infested neighborhoods. It's not as bad as they make it out to be in the movies or in the news media outlets. Yes, it's bad, but no, it's not the same thing as living in a war zone.

Re:Militarization?

[PopeRatzo]

Well, there's a large difference between gang-land violence and an actual military mortar attack.

Morgan has a point.

There is a huge difference between preventing terrorism and fighting a war.

Unfortunately, "war" is something that people who have never been in one think is romantic or exciting. I never thought much about war until my wife and daughter were stuck in Belgrade during the NATO bombing. I'm watching the CNN, seeing US planes, pilots and ordinance doing it's very best to kill my dearest loved-ones.

So, should we fight terrorism with police action or with a "War on Terror"? Clearly, let the cops handle it and get our people out of Iraq before someone else gets hurt.

Re:Militarization?

[PopeRatzo]

No, the West Side of Chicago is not the same as a warzone.

The conceal/carry law that's trying to work it's way through the Illinois Assembly may improve the chances of making it one, though.

Think of a gang and drug-ridden neighborhood, now add the easing of restrictions on the purchase and possession of guns.

I heard a pro-gun writer for Reason Magazine (a dim-wit Libertarian rag) say that there should be "absolutely no restriction" on the sale or possession of any type of firearm" because that's what our Founding Fathers wanted. Well, our Founding Fathers also shit in holes in the ground out in the back yard, so we shouldn't have flush toilets?

Re:Militarization?

War isn't about who can kill more people though. War is about gaining an advantage over an opponent in order to gain their resources for your own. A DDOS attack is definitely a valid military procedure in this interconnected world as with a DDOS attack, you can bring down mission critical systems (Example: when Georgias Communications systems went down during the recent Georgian conflict) in order to spread confusion and help keep your opponent from mustering together a coordinated defense. A crippled defense means that your offensive is less likely to be stopped, and less likely to sustain heavy damage, increasing the odds for victory. Some times the best defense is a good offense, and a DDOS attack can definitely be that little extra to push your offense that little bit further with minimal collateral damage to your own troops.

Re:Militarization?

[Mr.+Slippery]

Life critical monitoring equipment is never plugged into the Internet.

"Should never be" and "never is" are two different things.

And what constitutes "life critical" is fuzzy. Is Google Maps "life critical"? Do you remember the family that got lost and the father froze to death? (It's not clear that the map in this case came from Google Maps, but it show the possibility.)

Is your word processor "life criticial"? Michael Richard was executed after his lawyers were unable to file paperwork by a deadline due to computer problems, under circumstances that would likely have at least postponed his murder by the state.

Is your local park service's database "life critical"? It becomes so when a dead tree that was supposed to be removed falls and kills somebody.

(By the way, if you're a computer professional and you're not reading the RISKS digest, you oughta be.)

Re:Militarization?

[uncledrax]

For one thing, a DDOS doesn't do, and by definition, can't do permanent damage, nor can it kill people.

Firstly, I'm interesting in where you got a definition of DDoS that includes the clause 'cannot do permanent damage'? You're probably thinking of of stuff like blowing up buildings though.. sure.. it's not-likely that a DDoS would blow up a building, but there is a likelihood that it could cause permanent damages. If nothing else because of the inaccessibility of real-time data streams.

If you DDoS a bank during it's nightly batch, you can cause that bank to loose a days worth of interest for example. That's a real and permanent damage.

Ever hear of Telepresence surgery? (I'm sure there are probably safeguards in play for TP-Surgery, but still.. you could be denying life-saving surgery to someone)

True, most of the internet is just kids torrenting and arguing on the internet (like I'm doing right now!), but that doesn't mean it's -all- stuff like that.

Re:Militarization?

[Hijacked+Public]

So you believe that gang members and those involved in the illegal gun trade are sitting around waiting for this law to pass before arming themselves?

How are they murdering one another now?

Re:Militarization?

[morgan_greywolf]

If you DDoS a bank during it's nightly batch, you can cause that bank to loose a days worth of interest for example. That's a real and permanent damage.

I've never worked in a bank before, but I think it's more likely that interest accrues from the time of the actual transaction recorded by the bank, not from the time the transaction was posted electronically by the bank's nightly batch.

Am I wrong? Can someone with financial IT experience tell me if I'm right or not?

Re:Militarization?

Shell and mortar attacks only occur inside israel (except for hamas misfires).

Israel attacks with weapons that ... you know ... actually try to hit their (military) target, instead of random civilians.

Which means it uses neither shells nor mortars. Only hamas (=gaza) uses those weapons.

Re:Militarization?

One word: telepresence. Say a doctor is guiding a a surgery, and a DDOS is launched against the site where the surgery is taking place. Just because you consider the internet a stupid place where lolcats and flame wars take place doesn't mean other people aren't using it for serious things that have real repercussions if they fail.

Re:Militarization?

[wizden]

I used to live in the west side of Chicago. It needs a conceal/carry law that allows citizens to protect themselves. The criminals there already have AK-47 battles in Humboldt Park. Nice logic with the hole in the ground though. How much more gun control can you get in a city that absolutely bans handguns? At what point will you admit that it isn't working? How does your "more gun control" argument work when the law can't be taken any further? I could get an illegal gun in 10 minutes in Chicago.

Re:Militarization?

[Registered+Coward+v2]

Oh, come on. This is just more hysteria manufactured by people looking for money, fame and fortune.

A DDOS attack is hardly the same the thing as a shell and mortar attack. For one thing, a DDOS doesn't do, and by definition, can't do permanent damage, nor can it kill people.

Can we all just lay off the hype machine a little bit?

That's right, because it's only information flow that is being disrupted; the core information is intact. It's not like a hospital, emergency services, electric grid, air traffic control or other networks actually need to pass information to work properly.

Re:Militarization?

[hairyfeet]

Silly Silly PopeRatzo, criminals don't follow your stupid laws, that's why we call them criminals. You get rid of all the ways of law abiding citizens to have guns and all you will have is a free for all because the criminals will STILL have guns. You DO realize that, don't you? After all drugs have been illegal for nearly a century, yet I can walk out my door and in less than 30 minutes score any drug I wanted. Do you really think that smuggling a load of guns would be any harder than a load of dope? You anti gun people make me laugh, thinking your silly laws will have any effect on actual criminals. That is just so silly.

Re:Militarization?

do you work for law enforcement? Based on your last couple posts, it seems like you might. You're definitely buying into the entire "cyber-terrorist" bullshit.

A hospital can still provide basic care with its information systems, as can emergency services. You seem to think they'd lose all utility because of a network outage. BS.

Re:Militarization?

[ColdWetDog]

Life critical monitoring equipment is never plugged into the Internet.

Nope, it's hardwired. And in the Pony-world, it will always be so. But in today's buzz word infested, resource strapped Real World, somebody is going to do something stupid like put power generation facility command and control lines on the Internet. That's going to bite somebody.

I think this is all great. Get the military in here and clean up the acts of every nit-wit that thinks the Internet is the key to goddamn everything. Let them DDOS everybody once a year. Get'm on their toes. Good practice.

Why does this remind me of a William Gibson novel (again)?

And before anybody starts on the 'hospitals-need-power' idea - that's what backup generators are for.

Re:Militarization?

[rhsanborn]

What about a DDoS on a major stock exchange for example? Or someone brings down bus/train/air traffic control systems? Before anyone comes in with "The US ATC system is protected by..." that isn't the point. The point is, there are many critical systems that could cause great economic and possibly physical harm if successfully attacked. There are definite problems that can be had by this.

Re:Militarization?

[sabt-pestnu]

The age of wars being "soldiers lining up and shooting at each other" is long over. It looks like the neighborhood cop walking a beat is following.

Things like the Juarez Police Chief getting essentially run out of town to the forces that pushed the Russians out of afghanistan (and the USA in Iraq).

Police in some places have a real fear that simply by being identified as police officers could get their families killed. (masked policemen)

Re:Militarization?

[BadERA]

Depends on the neighborhood. Two different occasions in Rochester, NY, within two weeks of my moving out, people were killed within eyesight of my former homes. One was a robbery/murder, the other was a gangland initiation, totally random killing of a guy riding his bike on a bridge over the Lower Falls of the Genesee River. The latter neighborhood, my apartment was up on a hill, and some weeks, in the summer, it was very much like being in a war zone -- multiple shots, or bursts of shots, from multiple directions, throughout the night, many nights in a row. There was a mob beating of a woman around the same period. There was a drug raid across the street a few weeks previous. There were open-air drug markets on either side of my neighborhood, and all the accompanying violence.

My favorite recollection here was the time I heard what sounded like two people with pistols shooting at one another, because of the rapidity and succession of the shots. Turns out it was two teens shooting at an old lady after a botched robbery attempt, and despite 10-12 shots fired, neither one managed to hit her.

Re:Militarization?

[Cyberax]

So go after the criminals. What's the problem?

Or do you think your gun is going to save you from criminals? Ha!

Re:Militarization?

[uncledrax]

I think thinking more like the transfer of large quantity funds between banks.

Although I'm totally spitting out of my behind since I don't really understand that much of how high finance bank and ACH transactions really work.

Re:Militarization?

[DarkOx]

I hope a TP surgery is being done on um leased lines which are solely under the control of the hospital institutions doing the surgery and the carrier.

Something like that should not be being done of the public internet; it just should not be.

Re:Militarization?

[hairyfeet]

Actually they protect us VERY well, thank you very much. In my little home town we have plenty of drugs, meth labs, etc. but crimes like rape, home invasions, or murder(except one junkie killing another over a dope deal) is almost non existent. Why? Because if you kick someone's door in here you have approximately a 1 in 4 chance of meeting the wrong end of a gun. Now 1 in 4, that's not really good odds when you are lucky to get some cash and maybe a TV.

In the 80s we had crime in a neighboring county shoot up(I think because the previous sheriff there was a "no guns for nobody" type) and when he lost to a law and order guy he cleaned it up REAL quick. How? He said law abiding citizens with no record that could show a need would get a gun permit, and for businesses in high crime neighborhoods he set up these lovely little booths. The booth was basically a large one way mirrored box set up in every store. Below it was a sign "In this booth 4 days a week is an officer with a 12 gauge shotgun ready to defend these premises. You guess which 4." It worked QUITE well, thank you very much.

A 19 year old tweaker with a weapon looking for his next fix or a woman to take his anger out on only respects TWO things: A weapon pointed at his face, or a M.O.M(Mean Old Mutt) and not everyone has the room for a M.O.M. Will some people use their gun to kill themselves? No doubt. Will some use them in anger on a spouse? Again no doubt. But I can get my head bashed in by a tire iron too, but that doesn't mean I should not be able to change a flat. A weapon is just a tool, like any other. If someone uses it irresponsibly to cause another harm or death, punish them severely for it. I would suggest life on a hoe squad. But as we have seen in places like the UK, banning guns does NOT ban violent people from acting out.

But the nice thing about states rights is you are free and can go live in a state that "bans" guns. Won't keep the gangbanger from popping a cap in your ass, but you be sure to tell him he is breaking the law. I'm sure it will help.

Re:Militarization?

[Hurricane78]

Have you ever seen it come back as if nothing happened, after the forces were gone?

Re:Militarization?

[peragrin]

I happen to agree with you, but his statement was worded that gangs use grenades and ak-47's to randomly kill and shoot at each other. they blow things up.

yet the death toll is relatively minor compared to that of a war zone.

Re:Militarization?

[PopeRatzo]

The US has some of the least restrictive gun laws of any developed country and we still have one in 31 Americans in jail and a higher rate of violent crime than almost any other large developed country

I'm not sure you can make the statement that having an armed population lowers crime.

Tell you what, I'll compromise and say that anyone who's served in the armed forces can own and carry a gun as long as they don't have a history of mental illness. But you? No way. You sound too angry to be anywhere near an instrument of deadly force.

Re:Militarization?

[hairyfeet]

And why is that? I have never been convicted of a single crime in my 41 years, no history of mental illness or violence towards anyone. The problem is you are looking for a "nanny state" solution and we have seen time and time again that simply doesn't work.

I have known military men who were truly vicious bastards that would make you piss your pants if you ran into them in a dark alley. But according to you that makes them MORE qualified than me, someone who has grown up around weapons since i was an infant and yet never fired a single round in anger. Why? Because they are approved by the government like our police force? How about a little thing I like to call "personal responsibility"?

How about this: if someone uses a gun to harm someone you actually punish them. No plea bargains, no time off for good behavior, straight time all the way. But you and I both know the reason why we have so much crime here is NOT because of guns, it is because we throw rapists and thugs onto the streets to make room for potheads and junkies in our prisons. If we get rid of ALL victimless crimes, drugs, gambling, and prostitution, and instead used our resources to remove the "revolving door" policies we have had to violent crime I bet we would see crime drop like a rock.

Finally let me leave you with this. How about instead of letting criminals sit in jail and think up frivolous lawsuits and play PS2, we actually make them work for the families they harmed, how about that? Make them work their ass off from sun up to sun down and have the fruits of their labor given to the victims families instead of some corporation who is in this for profits and not the victims. Just the other day I saw an episode of "Cops" where a suspect was running from my state to a neighboring state, in a car with a blown wheel and fire shooting out the front. The camera man from the news chopper thought he was insane. I just laughed and said "I bet he don't want to go to the hoe squad!". Sure enough, when he made it across the TN border the cops grabbed him and said "Why did you do that? Are you crazy!" He said "I've done time in TN and it is nothing like the hoe squad! I have done crimes in TN and I'll confess!". The AR cops just laughed and shook their heads. Now I don't know if it would change things or not, but it sure couldn't hurt to have more jails like that.

But banning guns from citizens like me who have NEVER harmed anyone only insures that we have no defense from those that ignore your laws. Or would you rather I just go score a 45 as easy as I can score a bag now? By passing more nanny state laws all you do is make guys like me into criminals for wanting to be safe. I would quote Atlas Shrugged about governments creating criminals, but you know the bit. But your nanny laws won't keep me and my family safe if someone who doesn't obey your laws kicks in my door. My gun will. And I feel a HELL of a lot safer with it than waiting on some overworked police force while some thug is breaking into my home, thank you VERY much. Are you going to agree to pay my wages to my family for the rest of their lives if your nanny laws get me killed by a criminal? Didn't think so.

The usual response

[MikeRT]

"We do it, so we should expect it in return." Yet, where is the proof that the federal government is actively engaging in the sort of network thuggery that Russia and China indulge in? It's just "common knowledge" that "we do it," especially at a tit-for-tat level.

The main reason I've grown impatient with this line of thought is that it's usually used to defend other countries when they're doing wrong. "The US supported dictators, so why not Russia." Might as well say "two wrongs make a right!"

I guess I'm safe

[kcbanner]

I put my computer in the demilitarized zone.

Re:I guess I'm safe

[morgan_greywolf]

Shhhh! Nobody tell him!

Re:I guess I'm safe

[techwrench]

Or the City of Chico?

Re:I guess I'm safe

I bought a trident board for mine , complete with nukes .

Well, yes.

[tygerstripes]

It was inevitable, surely. Once governments came to realise that the web was becoming a legitimate medium rather than an entity, they would obviously start to employ it in the same way they have every other.

I have to ask: is this story about governments wising-up in the ways of the intertubes and turning it to their advantage, or about the fact that this was discussed at a conference? I'd have thought the former was self-evident, and the latter was completely un-newsworthy. Maybe we can discuss specific examples of political internet jiggery-pokery, but this kind of vague allusion is just going to prompt hot-air discussions with no real content, isn't it?

What makes DDOS hard to stop?

[Late+Adopter]

What makes denial of service attacks so hard to respond to technologically? Our pipes are limited in capacity, surely. Is it not possible to build a router that can mask out requests from IP ranges as fast as they can electrically come in?

Or is the problem more in the "distributed" part than the "denial of service" part? Can a network engineer enlighten me?

Re:What makes DDOS hard to stop?

[morgan_greywolf]

What makes denial of service attacks so hard to respond to technologically?

Really, it's not.

Our pipes are limited in capacity, surely. Is it not possible to build a router that can mask out requests from IP ranges as fast as they can electrically come in?

Yes, such routers actually exist, although even some commercial-grade routers tend to made with low end processors and such that if your pipe is fat enough, it can become overwhelmed.

If you want to stop a DDOS and your firewaall can't seem to mask off IP ranges quickly enough, by far the easiest technological measure is really quite simple: sever the connection. I guarantee you the DDOS will no longer be affecting your equipment at that point.

Our TCP/IP networks were built to survive connections going down. At least if they were built cluefully, anyway.

Re:What makes DDOS hard to stop?

[rhael]

Actually firewalls can filter out ip ranges. The problem is indeed the 'distributed' part, the requests don't come from specific ip ranges, they come from machines all over the internet. It's basicly impossible to see the difference between a request that comes from a user and a request generated by a program

Re:What makes DDOS hard to stop?

[Tuoqui]

It's pretty hard to stop because it is a outright brute force method.

1) All tubes have a limited capacity.
2) If the packet makes it to your router you've already lost. The router's memory and/or processing power is being expended to 'ignore' or 'throw away' packets coming from certain IP ranges.

Distributed makes it harder because the IP addresses do not come from any singular location so you cant just perform an IP range ban. Also the distributed part makes it more difficult to filter out 'garbage/attack' data request from legitimate traffic.

Re:What makes DDOS hard to stop?

[Tuoqui]

If you want to stop a DDOS and your firewaall can't seem to mask off IP ranges quickly enough, by far the easiest technological measure is really quite simple: sever the connection. I guarantee you the DDOS will no longer be affecting your equipment at that point.

Congratulations the attacker just won. You've DOS'ed yourself by yanking the plug. Admittedly this might be a consideration if the DDOS is performing attacks on your servers as well as flooding the tubes to keep your data safe.

Re:What makes DDOS hard to stop?

[drinkypoo]

Our TCP/IP networks were built to survive connections going down. At least if they were built cluefully, anyway.

Well, I am not a super-network-nerd, but my impression is that the reality is very different. As has been pointed out repeatedly there are a limited number of choke points which, when interrupted, disrupt large percentages of internet traffic. In addition you have to generally spend some money to get multihoming. For the home user, no big deal; you might lose your connections-in-progress but it's not likely that you'll have any other serious repercussions. So sure, a home user could back up Cable with DSL, for example, and gain all the most important benefits of multi-homing without even doing anything very complicated. But a business user needs to spend, spend, spend to multi-home. Once you're over a certain size you're going to need multiple connections anyway, so the relative cost of doing this drops considerably.

A lot of things were designed to work much better than they do due to implementation. I suggest that evolution needs to give way to revolution and the internet we know and occasionally love must give way to a somewhat more anarchic mesh-network. Honestly I see a place for both; When I want to communicate with "the system" I'll use "the internet". It is however long past time for the people of the world to just utilize technology to bypass our corporate masters and take control of our own lives.

On that note, anyone have any ideas on the cheapest possible mesh networking currently available which could scale to at least one access point for every human currently on the planet? I suspect that the carrying capacity of earth has been exceeded, at least as we are practicing life, so this is a reasonable upper bound for now. Besides, you don't actually need that many APs.

Re:What makes DDOS hard to stop?

[fuzzyfuzzyfungus]

DDOSes are easy, and hard, to stop in roughly the same way that car bombs are easy, and hard, to stop. It is pretty trivial to have a router just drop traffic from any IP range you care to specify, just as it is pretty trivial to stop an ordinary car with nothing more than light weapons. However, an even remotely competent DDOS will involve traffic from huge numbers of otherwise innocent looking systems scattered among your legitimate users, so you identifying the ones to drop is hard, just as it is hard to find the one car among thousands, and you can't just shoot all drivers.

Re:What makes DDOS hard to stop?

There are different kinds of DDoS attacks which are difficult to stop or work around for different reasons. The type of DDoS which is otherwise known as a Slashdotting typically overloads the server, not the network. Since a couple hundred users can easily overload most servers, all it takes is a small network of zombie PCs. This is difficult to defend against because you can't easily tell if a visitor is interested in your services or just trying to weigh your server down.

Another type of DDoS is a network overload attack. The attacker saturates your network uplink(s) so that legitimate traffic suffers from excessive packet loss. (A variant is an economic DoS attack, where the attacker does not strive to interrupt other traffic directly but aims to increase your cost by pushing usage of your burstable connection above contractual limits, thus forcing you to downgrade the connection and limiting legitimate traffic.) This is difficult to defend against, because once the traffic hits your systems, it doesn't matter that you can throw it away: It has already swamped the connection. At the very least you have to work with your upstream provider(s) to filter out DDoS traffic. If the scale is big enough, they might even have to work with their upstreams. If the DDoS traffic has some characteristic property, filtering should be possible even with varied and changing sources, but it takes some time to find that characteristic and configure the filters accordingly.

Both types of DDoS attack have in common that it's usually impossible (or very very slow and tedious) to make the source of the DDoS traffic stop.

Re:What makes DDOS hard to stop?

[maxume]

It often makes sense to abandon a battle. The attacker only wins if you permanently sever the connection, a temporary disconnection may make lots of sense (and it may not make any sense...).

Re:What makes DDOS hard to stop?

[m0i]

But a business user needs to spend, spend, spend to multi-home.

Wrong. The only cost is implied by the use of potentially bigger pipes sold with BGP service but nowadays you can have a 100mpbs link for $1000.. Technically it costs 0 (open source routers, IPs and routing registries (except RADB) are free.

Re:What makes DDOS hard to stop?

Because your firewall is at your end of the connection. It doesn't matter how effectively your firewall can throw packets away, when they need to go through your internet connection BEFORE reaching your firewall and being thrown away.

An example. Imagine you have a 10 mbit internet connection at home. Your firewall can throw away 100 mbits worth of packets per second. Someone starts DDOS'ing you at 20 mbits. Now your firewall will be 10% loaded, throwing away 10 mbits worth of DDOS packets. The rest don't even get to you, because your connection is already overloaded.

The second problem is the distributed part. In that the rest of the world has more bandwidth than you do (i.e. the sum of everybody else's internet connections is bigger than your internet connection).

Re:What makes DDOS hard to stop?

[drinkypoo]

Wrong. The only cost is implied by the use of potentially bigger pipes sold with BGP service but nowadays you can have a 100mpbs link for $1000.. Technically it costs 0 (open source routers, IPs and routing registries (except RADB) are free.

Well, correct me if I'm wrong - my understanding of this subject is limited to conversations I've had in the distant past - but isn't it true that in the CIDR era your provider has to agree to carry your route if it is actually going to do you any good? Your ISP allocates you a piece of their network, which is already routed. Don't they have to (at minimum) tweak their routes so that they don't override yours? I mean, otherwise you first have to buy a block of addresses, which is (again, to my understanding) now an extremely expensive proposition. And if you can find someone else to resell you a piece of their block, now you're dependent on them to not bone your routes. But please, if it's less fraught with complexity than this, please tell me - and tell me why there's so few people who can do BGP without boning it.

The "Open Source Routers" thing again only typically helps larger shops who can afford to hire their own network admin who understands how to configure such things, or who can apprehend how things are to be done on that platform. A smaller shop is going to need to stick to a well-supported platform so that when they have a problem they can pay for someone to come in and solve it. For most people that means sticking with a major brand with certifications which are worth something, which basically means Cisco. Which means spending big bucks. Also, getting those high-speed links into an open router is itself an expensive proposition; PCI and PCI-E WAN interfaces are pricy. What you save on the service contract you might well lose for lack of a service contract. There is such a thing as TCO and while a DIY approach will work for some shops which already possess the necessary personnel, in most cases something a little more standard (and I don't mean standards-based) is probably a better idea.

Re:What makes DDOS hard to stop?

[wizden]

Super-network-nerd here. Do you own any fiber? Who are you peering with for your magical internet access? Sorry, I don't mean to be a dick but people forget that you actually have to connect to the network at some point. The choke points you speak of are peering points and I have to say if you DDOS them it won't last very long. This is why groups like NANOG exist.

Re:What makes DDOS hard to stop?

[kj_kabaje]

giving up mod points to say this, but must be said. The internet is tubes? So Senator Stevens was right!

Re:What makes DDOS hard to stop?

[bugs2squash]

I gather that if you have a BGP peering relationship, you may be able to signal to your ISP that they should "black hole" traffic from certain IP address ranges before it reaches you.

Perhaps it would help if this were something that could be adopted across the whole internet. For example use a digitally signed source quench message to clobber traffic to the IP address range you own (based on your digital signature) right where it enters the internet (or at least where it enters the first compliant node)

Re:What makes DDOS hard to stop?

[Cyberax]

That's what BGPs are for - it allows YOU to control how your traffic is routed. Because all major routers on the Internet also use BGP to configure routes.

The grandparent is also correct in saying that it doesn't cost much. It's possible to have completely OpenSource router and even modest hardware can handle routing.

Re:What makes DDOS hard to stop?

[Cyberax]

Typo: BGP, not BGPs - I meant BGP-capable routers.

BGP stands for "Border Gateway Protocol", so it can't be plural.

Re:What makes DDOS hard to stop?

[Areyoukiddingme]

On that note, anyone have any ideas on the cheapest possible mesh networking currently available which could scale to at least one access point for every human currently on the planet?

The short answer is, there isn't one. None of the existing wireless networking schemes are designed with mesh networking in mind. None of them are designed with the range required to achieve sufficient density to qualify as a mesh.

A device designed to operate in the ultra wideband (UWB) frequency range is a possibility. In theory such a device could achieve 480 mbit/s at 10m ranges. Attempts to date have fallen rather far short, but that could be addressed by better engineering. Actual devices (wireless microphones) built to use UWB can achieve 8 mbit/s at 20m ranges. That device significantly underutilizes the available spectrum, confining itself to frequencies near 6 GHz. It is also quite conservative about its power output, radiating at 40 nanowatts when the FCC limit is closer to 80 nanowatts. A device that uses more spectrum and more power should be capable both of higher throughput and wider range. Whether or not the range could reach a useful minimum for achieving a mesh network is anyone's guess.

Unfortunately for us all, the IEEE working group that was trying to formalize UWB as part of the 802 specification broke up in 2006, unable to reach an agreement on a good design. So UWB-WiFi (so to speak) isn't being worked on in any real fashion. You can bet they weren't trying to design something that was mesh-friendly, in any case.

It's too damn bad that software engineers are still the only people who are broadly involved in open source. I think the only way we're going to get the kind of mesh network you're talking about is a grass roots/open source effort by electrical engineers specializing in radio frequency engineering getting together and designing something for the purpose. It doesn't seem to provoke any corporate interest at all, other than negative interest.

Re:What makes DDOS hard to stop?

[kayditty]

multihoming does little to stop a basic network DoS (I really wish people would stop saying "DDoS") attack, of course. once your link switches over, you may be okay for a minute, but then once the internet starts seeing your new route, it's back to being saturated all over again. I have done this multiple times in the past. of course, multihoming doesn't even do that when your uplink is toast, not to mention your uplink's uplink. it is funny how many people on this site know absolutely nothing about the subject (I'm not talking about you) but feel qualified to discuss it. DoS is NOT something that can be easily stopped in any way whatsoever. I'd venture to say that it's impossible to ever be stopped, by nature of what the internet actually is. I have a lot more experience and knowledge on this matter than 99% of the people posting in this thread, seemingly.

as someone else mentioned, if the traffic's already reached your network, nothing else matters. you can stop a light SYN flood at your router, sure, but you can't stop a network overload. we're not talking about intercepting virus payloads. these people seem to think that a DoS attack is something that John Travolta loads onto his computer with a mini-CD, and all you have to do is keep the data from reaching your network and you're safe. it's hilarious.

You live in Tacoma Park?

[wiredog]

Or Berkeley?

so, when...

[hitmark]

are we going to see things like specifically targeted viruses designed to put a server out of commission as permanently as can be done?

poor man's slashdotting

[metageek]

DDOS attack is the poor man's slashdotting

Military Power

Im going to France then.

(i was going to post just this but lol, my CAPTCHA word is "invalids")

Government Working Hard...

[Mo0o]

You think silencing politicians is hard... Critics? Going to have to dish out a few extra bucks in taxes for Government OT.

New territory means it must be defended

[hessian]

It's inevitable that space and the internet are going to be militarized.

If I were our government, I'd use big media for military purposes: convince the youth of other countries to engage in selfish, yet self-destructive, activities.

Oh wait, someone beat me to it!

Um,..

[kabocox]

Damn. We are loosely badly to all the lawlessness adware, malware, and viruses out there. I don't really want a cyber gun per se, but I'd like to hire some one to effectively shield myself from them. Current anti-virus, anti-spyware, and anti-malware products just aren't quiet cutting it right at the moment. They are better than nothing, but I want 'em to be much more effective.

Heck, I want assassin squads sent out after the writers of adware, malware, and viruses. Let's see what happens when these cyber guys come face to face with some actual physical military force.

Freenet, Gnunet

There are systems like Freenet and Gnunet that are pretty DDOS resistant (because they were made to be censorship resistant). If only governments started to use these...

Re:Freenet, Gnunet

Lol... if the government started using these, they would become a lot less resistant to censorship

War against anybody not supporting our government

[cagrin]

I've heard recently that the police forces across all states are given documents suggesting anyone who mentions the US Constitution and espouses their rights (for example, warrantless checkpoints) are being classified as terrorists against the government. It has also mentioned the shutting down of the current internet in favour of Internet II which would be more controlled (for example, anti-government sites would not be allowed...freedom of speech anyone?). See the following for more: the Alex Jones Channel on YouTube (or infowars.com, a recent show: http://www.youtube.com/watch?v=l1Eizli66bU), http://www.freedomtofascism.com/, and for the Canadians out there... Bill Abram on the 'Crime of the Canadian Banking System' http://www.youtube.com/watch?v=O8Zl1Wax8MI

enjoy...and spread this stuff around :)

Ah...the good old days

[fataugie]

Sounds like a rehash of the mid 90's of EFnet....riding the splits.

So how long before the Pentagon loads up some eggbots, a few BitchX clients and some war scripts...

Hi Ho, Hi Ho, it's Off to War we go!

More to come

[lbhuston]

This trend will only continue as the barrier to entry continues to drop. More and more attackers become resourced enough to perform DDoS and other assaults against online security, while at the same time, the it gets easier and easier to obtain the tools, techniques and knowledge to perform the attacks. As those two curves intersect, these attacks will continue to grow. Cybercrime as a service also plays into this and generates an underground economy that can come to bear on these attacks as well. While I don't think we need to worry about any kind of cyber-war or that hype, attack frequency and gross assaults of large proportion will likely continue to grow for the foreseeable future.

When News Was News

[DynaSoar]

"Governments looking to silence critics and stymie opposition have added DDOS attacks to their censoring methods"

This was news 8 years ago when China first attacked individuals' pro-Tibet web sites. The attacks were readily traced back to their Ministry of Defense.

If it were a case of someone foisting old news as new on the knowledgeable, that would be pitiful. However, the conference where it was presented was specifically for newbies (both persons and companies) to the field. While hardly news to /. it was almost certainly news to the conference goers.

Government Intolerance

[b4upoo]

Since computers tend to be communication devices the question folds backward into another question. Can any government survive good communications among its citizens? I really doubt it. Understanding government will lead people to realize that for their individual situation the government is a negative. If you end up with any substantial percentage of a population feeling that the government is negative in their lives they will find a way to crash the government. Even 10% who are real disaffected with government will assure failure of a nation.
            Back in the Hippy movement the young understood that. Tune in, turn on, and drop out was every bit as serious as an enemy marching toward a border. Whether the hippie seeking to end the Vietnam War or the kid in the mud in Vietnam was the better patriot is open to debate. But one thing is sure. The hippies did cause that idiotic war to end. Sadly we have so many ruined lives on both sides of that war as living testimony that war is a lousy idea.

Re:War against anybody not supporting our governme

[johnjaydk]

Hmm ... a bunch of ok facts and then a giant leap to a big conspiracy theory ( It's WTO and IMF who are to blame). Come on. You can do better, even on slashdot.

The Canadian guy is a real comedian. To suggest running the printing press to cover a trade deficit. The Canadian dollar would become worthless over night. The only scandal he points out is fiscal irresponsibility. Nothing new there.

Re:War against anybody not supporting our governme

[cagrin]

The main fiscal fact in both the US and Canada is that money is being allowed to be created and controlled by the private banking interests. Governments have the right and obligation to create their own INTEREST FREE money for the continued freedom of their people. Money now is simply debt(with interest!) owed to a bank and no longer based on a hard asset such as gold or silver they simple create it on the 'books', which should ONLY be the right of the government. This at it's root is basically a scam to remove hard assets (such as land or property) from the people to the bankers (or the 'elite' if you will). For a basic (and entertaining) insight into the history of the banking system see: http://www.youtube.com/watch?v=vVkFb26u9g8

Ya you CAN shoot all drivers!

Was reading this and couldn't you just "block all" and use another connection for your traffic?

So yer being attacked by DOS (damn Windows never lets UP) and the software notices a VERY BIG increase (to be damaging enough and it knows it is) so it enables "script A" to reroute around the damage, in this case, the network line your using...

I understand you'd need a seperate lan line to send your traffic to/from and carry on as normal till it drops back down and you can use the other line.

Was thinking this would work with large servers as they have mega access but for the home user, couldn't it be as simple as cable modem as main connection, dsl for the second (seperate providers and ya, costs money but least it's 99% uptime)

Some people uptime might be more then the double internet cost. Just don't tell the DOS attackers yer NEW IP. haha. :P

(guess trying to KEEP it from them is the challenge, play nice. :D)