Beyond Firewalls — Internet Militarization

angry tapir writes "One of the discussions at the Source Boston Security Showcase has been the militarization of the Internet. Governments looking to silence critics and stymie opposition have added DDOS attacks to their censoring methods, according to Jose Nazario, senior security researcher at Arbor Networks, with international political situations spawning DDOS attacks."

Re:What makes DDOS hard to stop?

[Tuoqui]

It's pretty hard to stop because it is a outright brute force method.

1) All tubes have a limited capacity.
2) If the packet makes it to your router you've already lost. The router's memory and/or processing power is being expended to 'ignore' or 'throw away' packets coming from certain IP ranges.

Distributed makes it harder because the IP addresses do not come from any singular location so you cant just perform an IP range ban. Also the distributed part makes it more difficult to filter out 'garbage/attack' data request from legitimate traffic.

Re:What makes DDOS hard to stop?

[drinkypoo]

Our TCP/IP networks were built to survive connections going down. At least if they were built cluefully, anyway.

Well, I am not a super-network-nerd, but my impression is that the reality is very different. As has been pointed out repeatedly there are a limited number of choke points which, when interrupted, disrupt large percentages of internet traffic. In addition you have to generally spend some money to get multihoming. For the home user, no big deal; you might lose your connections-in-progress but it's not likely that you'll have any other serious repercussions. So sure, a home user could back up Cable with DSL, for example, and gain all the most important benefits of multi-homing without even doing anything very complicated. But a business user needs to spend, spend, spend to multi-home. Once you're over a certain size you're going to need multiple connections anyway, so the relative cost of doing this drops considerably.

A lot of things were designed to work much better than they do due to implementation. I suggest that evolution needs to give way to revolution and the internet we know and occasionally love must give way to a somewhat more anarchic mesh-network. Honestly I see a place for both; When I want to communicate with "the system" I'll use "the internet". It is however long past time for the people of the world to just utilize technology to bypass our corporate masters and take control of our own lives.

On that note, anyone have any ideas on the cheapest possible mesh networking currently available which could scale to at least one access point for every human currently on the planet? I suspect that the carrying capacity of earth has been exceeded, at least as we are practicing life, so this is a reasonable upper bound for now. Besides, you don't actually need that many APs.

Re:What makes DDOS hard to stop?

[fuzzyfuzzyfungus]

DDOSes are easy, and hard, to stop in roughly the same way that car bombs are easy, and hard, to stop. It is pretty trivial to have a router just drop traffic from any IP range you care to specify, just as it is pretty trivial to stop an ordinary car with nothing more than light weapons. However, an even remotely competent DDOS will involve traffic from huge numbers of otherwise innocent looking systems scattered among your legitimate users, so you identifying the ones to drop is hard, just as it is hard to find the one car among thousands, and you can't just shoot all drivers.