Beyond Firewalls — Internet Militarization

angry tapir writes "One of the discussions at the Source Boston Security Showcase has been the militarization of the Internet. Governments looking to silence critics and stymie opposition have added DDOS attacks to their censoring methods, according to Jose Nazario, senior security researcher at Arbor Networks, with international political situations spawning DDOS attacks."

Re:What makes DDOS hard to stop?

[Tuoqui]

It's pretty hard to stop because it is a outright brute force method.

1) All tubes have a limited capacity.
2) If the packet makes it to your router you've already lost. The router's memory and/or processing power is being expended to 'ignore' or 'throw away' packets coming from certain IP ranges.

Distributed makes it harder because the IP addresses do not come from any singular location so you cant just perform an IP range ban. Also the distributed part makes it more difficult to filter out 'garbage/attack' data request from legitimate traffic.

Re:What makes DDOS hard to stop?

[fuzzyfuzzyfungus]

DDOSes are easy, and hard, to stop in roughly the same way that car bombs are easy, and hard, to stop. It is pretty trivial to have a router just drop traffic from any IP range you care to specify, just as it is pretty trivial to stop an ordinary car with nothing more than light weapons. However, an even remotely competent DDOS will involve traffic from huge numbers of otherwise innocent looking systems scattered among your legitimate users, so you identifying the ones to drop is hard, just as it is hard to find the one car among thousands, and you can't just shoot all drivers.