Has Progress Been Made In Fighting DDoS Attacks?

alphadogg writes "As the distributed denial-of-service attacks spawned by this week's WikiLeaks events continue, network operators are discussing what progress, if any, has been made over the past decade to detect and thwart DoS attacks. Participants in the North American Network Operators Group (NANOG) e-mail reflector are debating whether any headway has been made heading off DDoS attacks in 10 years. The discussion is occurring while WikiLeaks deals with DDoS attacks after leaking sensitive government information, and sympathizers launch attacks against MasterCard, Visa, PayPal and other significant e-commerce sites."

What is Anonymous?

A miserable pile of dead bodies in a hidden mass grave -but enough of that, have at you!

Re:What is Anonymous?

[__aatirs3925]

How dare you call my pile of dead bodies miserable you insensitive clod!

Re:What is Anonymous?

A miserable pile of dead bodies in a hidden mass grave -but enough of that, have at you!

Your words are as empty as your karma! The interweb ill needs a savior such as you!

Re:What is Anonymous?

[GrumblyStuff]

Well, next time stack them all neat and tidy!

Re:What is Anonymous?

[Dan541]

I keep all mine in barrels. They are easier label and archive that way.

Re:What is Anonymous?

Barrels are too difficult to stack. They tend to roll over when using large amounts. I use boxes and label them with QR codes so my legion of Arduino based ant-like robots can fetch the correct one for me.

This reminds me of WW 1

[Fluffeh]

How a large chain of treaties, relationships and friends slowly spiraled downwards through a set of "Hey, you said you would help if..." into basically a war of people who weren't even remotely connected to the original event (assassination of a prince from memory) and general chaos for quite a while.

Amazon, Paypal, Visa certainly weren't connected to WL in any way prior to this, but have shown relationships and friends, and of course this means that friends to WL have now escalated the parties. I do wonder where it will all end.

Re:This reminds me of WW 1

[Hortensia+Patel]

assassination of a prince from memory

An Archduke, if you want to be picky. But nice analogy nonetheless. Like WW1, I think this is a fight that's been waiting to happen for a while now. Like WW1, the specifics of the flashpoint incident are largely irrelevant.

Unlike WW1, the two sides seem far from evenly matched this time. My gut says the pro-WikiLeaks side will get tired and give up; there's nobody paying them to keep going, and that matters in the long haul. I'd love to be proved wrong, though.

Re:This reminds me of WW 1

[Mashiki]

The main reason that WWI started though was because the doctrine of mobilization still existed.

Re:This reminds me of WW 1

[dsanfte]

Each side figured if they could amass a significant enough alliance, the other side would capitulate, making any battle short and largely symbolic. It was a whole lot of blustering and brinksmanship, but reputation meant so much that by the time things came to a head, they had to fight, nobody could stand to lose face. Thirteen million dead because nobody would call uncle.

Re:This reminds me of WW 1

[Fluffeh]

The main reason that WWI started though was because the doctrine of mobilization still existed.

Yes, a spark set of a large chain of events. Sort of like a company refusing to deal with a website due to pressure and is now under a continued DDoS? Say what you like, WL has caused pretty much everyone to take a side in this ongoing and developing scenario. If that isn't the first steps to mobilization in a digital world I don't know what is.

Re:This reminds me of WW 1

"The original event" - that's a good way of phrasing it. The assassination of that guy was the drop that caused the bucket to overflow, but if it hadn't been this, it would've been something else. WW1 didn't happen because of that assassination.

As such, I think this isn't actually the same situation at all, either. It's not as if there was a conflict between 4chan and Mastercard etc. waiting to erupt.

Re:This reminds me of WW 1

Calling things like that a "conflict" is the first step in cybermilitarization.

Re:This reminds me of WW 1

[poetmatt]

uh, there is no such thing as the victims being outmatched on this.

this is roughly back to basics all over again - the people who are DDOS'ing don't need a central command location - that is easily mirrored anywhere in the world.

the people who are defending however, do need a centralized location.

meanwhile, calling this war, is just a blatant lack of understanding - this is more of a political statement than an act of a aggression - it is not harmless, but that is not the focus here.

If this were a war, it would be more about sneaking viruses onto servers and malware and things like that.

Re:This reminds me of WW 1

[jhoegl]

Escalation is only a matter of time.
If these groups do continue to attack, then they will escalate because DDoS wont work.
The war on freedom on the internet has been escalating for some time now. I believe the recent events such as the DNS hijacking of torrent sites, the restrictions on Netflix network by Comcast, and DDoS attacks on wikileaks are possibly the tipping point. Its not that they all werent expected, but it is a lot to deal with within a few weeks. The internet we had is slipping away thanks to corporate greed and no one listening to the issues people have been talking about for years.
I say fight on, for it is important.

Re:This reminds me of WW 1

[similar_name]

The main reason that WWI started though was because the doctrine of mobilization still existed.

The TOS for my celluar service is not a good sign.

Re:This reminds me of WW 1

I worry that WL is the "cyber 9/11" that people in the IT industry have been dreading since the 1990s.

Here in the US, we have Congresspeople who have been obviously Internet hostile. One of which was one of the reasons Zimmerman made PGP because strong cryptography came perilously close to being made illegal in the early 1990s. And the people still keep trying -- the mid 1990s brought with it the CDA where cursing on the Internet could mean a prison sentence (which took a fight to the Supreme Court to get that overthrown.) Of course, every few years, we have a bill like the INDUCE act, COICA, and many other Internet-hostile acts. Looming over our heads is ACTA which is still in the "make as extreme as possible, then 'compromise'" stage.

The people wanting these laws (likely the same people who want a DRM chip in every single computing peripheral and computer) would score a coup like no other should Congress check their heads in at the door and blindly rubber stamp "anti-cyber-terrorism" laws (like they did with the USAPATRIOT act.) Their long term goal is more revenue streams, and DRM and locked-down operating systems help that greatly.

The result of the lawmaking: iPad-like lockdown on the desktop, NAC on upstream routers that would detect jailbroken hardware and permanently ban machines by IMEI or other identifying ID (think XBL bans for modchipped firmware), all browsing and usage history transmitted to LEOs and ad agencies in real time (with no way of saying "no" to it), forcing people to have a "license" to browse the Internet (and the onus on victims of ID theft to prove otherwise so their access can be regained), and a return to the days where there were no open source alternatives -- either pay someone for a tool (such as a compiler), or do without. To enforce this, machines would have an active DRM chip with its own IP stack and method of automatically downloading new definitions/patches, then randomly freezing and scanning the memory space looking for suspected items. Machines would also have an antivirus utility that would run in protected space to look for signatures of music or video files, then phone home about it, leading to the user either permanently losing net access, or actually getting raided and the equipment seized via civil means (similar to how cars are seized due to drug charges.)

Ironically, Joe Sixpack wouldn't care, until he has to pay money per play of his favorite Ke$ha song.

Yes, this sounds like a dystopian fantasy, but the technology is there (CISCO's NAC, active DRM chips [1], XBL bans, Internet IDs in Korea and China, just a few companies providing Internet service, large wholesale moves of the population from "open" devices like Netbooks to closed/locked down platforms [2] like the iPad, a wholesale move by Microsoft and Apple to application stores on the desktop.) If given enough impetus, one can see companies connecting the dots and going a good way in locking down the Internet. Of course, it wouldn't be 100%, but it can be effective. Especially if people's software investments are tied down to a user account (Steam, Apple Store, Google's App Store), and they could easily lose access to all their purchased software in an instant should piracy be suspected. This could be compared to Valve's Anti-Cheat where access can be taken away to all multiplayer games in an instant with no recourse [3], except with all other software that one purchases, perhaps even the license for the OS itself.

Of course, the world != the US. It would obviously cause an exodus of talent from the US to elsewhere (such as during the 1990s where all the cryptographic R&D moved from the US to Russia and Israel during the times when exporting a DES routine had the same criminal penalty as selling a nuke.)

I don't want to sound like a doomsayer, but there are a lot of well-heeled people and organizations who would love to see the Internet return to being a Compuserve with complete control of who accesses what, how many fees can be attached, dissidents bei

Re:This reminds me of WW 1

[SupremoMan]

One sided wars are better than evenly matched wars by far. Better in terms of casualties anyway. Though if your goal is population control, evenly matched conflict will thin the herd quite a bit.

Re:This reminds me of WW 1

the DNS hijacking of torrent sites

It was 1 torrent site. And is only possible under the com/net/org/us/gov/mil TLDs. Duh.

the restrictions on Netflix network by Comcast

Which had fuck all to do with Netflix.

and DDoS attacks on wikileaks

Perpetrated by whom?

Re:This reminds me of WW 1

[rtb61]

No central command is required, all that needs to happen, is the type of hardware that can directly connect to the internet needs to be defined. So instead of a modem, a firewall router that can detect DDosing and block it whether incoming or more importantly outgoing. So if a bot attempts to join a DDos attack it is blocked at it's connection. Also it will do a lot more to protect all poorly configured and administered computers out there on the internet. A global treaty, as distributed protection always works much better than central and with many brands of firewall routers, attack is made far more complicated (plus most of them already run Linux sure to PO M$).

Re:This reminds me of WW 1

[jc42]

Amazon, Paypal, Visa certainly weren't connected to WL in any way prior to this, but have shown relationships and friends, and of course this means that friends to WL have now escalated the parties.

Hmm ... It sounds like you're saying that wikileaks was the source of the DDoSs at Amazon, Paypal and Visa. Do we have any evidence for this? The reporting I've seen imply that it was "supporters of wikileaks", not WL themselves. From what little I know of their record, I'd think this wouldn't be their preferred tactic, since it would sorta amount to "shooting yourself in the foot", as the old metaphor goes.

(But I can imagine Julian & Co. quietly cheering the DDoSers on in private, as did a lot of us. ;-)

Re:This reminds me of WW 1

Perhaps one day there will be no secrets!

Re:This reminds me of WW 1

[Saint+Stephen]

Oddly enough, the duke was assassinated by an Anarchist, who had been doing this kind of thing a lot since the 1840s. Read about the LONG history of anarchism in Europe to gain some insight into how unremarkable (and stupid) the acts of Wikileaks and the WTO protesters is. Long since discredited - except by the young

Re:This reminds me of WW 1

[Saint+Stephen]

From wiki...

The anti-authoritarian sections of the First International were the precursors of the anarcho-syndicalists, seeking to "replace the privilege and authority of the State" with the "free and spontaneous organization of labor."

Re:This reminds me of WW 1

[jc42]

Perhaps we should be pointing out that the problem here is the DDoSers, not their victims. And, more generally, the problem is that we are developing organizations that see it to their advantage to interfere with Internet traffic. Some of the organizations are political in nature, as with the wikileaks/amazon/etc snafu. Some are economic, as with the "traffic shaping" done by the Internet's supporting corporations for their own monetary gain and to damage competitors. Some are religious, as in the filtering done to block heretical and other indecent material by national chokepoint-type gateways.

All of these are the same threat to the rest of us: They are trying to limit our access to information that they don't want us to see. The best approach is to take an "agnostic" approach to their motives, ignore whether they're political or economic or religious, and just emphasize that we don't want them benefitting by controlling and limiting our access to information.

That Knowledge is Power is an old observation. These people all want power over us by limiting our access to information. Many of them have had such power in the past, and are now upset that their power is decreased by this newfangled "Internet" thing. This is, of course, part of why we built the Internet. The important thing is to prevent this control of information from being reestablished by anyone. We don't care how noble their motives are; we just want to make sure that they can't control what we are allowed to learn.

Re:This reminds me of WW 1

[Motard]

From Band of Brothers....

While walking through the woods in Part 9, "Why We Fight" before stumbling upon the Landsberg Concentration Camp.

Frank Perconte: Hey Luz, this forest kinda reminds me of Bastogne.

George Luz: It does huh? Well, except for the fact that there's no snow, we got warm food in out bellies, and trees aren't exploding all around us,... but yeah Frank, it looks a little like Bastogne. -- Smack him for me Bull.

"Bull" Randleman, walking behind, then proceeds to slap Perconte on the back of his helmet.

Re:This reminds me of WW 1

[Fluffeh]

Hmm ... It sounds like you're saying that wikileaks was the source of the DDoSs at Amazon, Paypal and Visa.

Source? Not at all. Cause? Yup.

To use another analogy. A small kid at a school is getting picked on by a bunch of other kids. His friends step in and try to set things right. Is it the small kid's fault that his friends got into an altercation? No. Is he the cause of it? Yes. Indirectly, he is the cause of the other kids jumping in to save his bacon.

I totally agree with you that WL would be utterly stupid if they a) did anything like this or b) officially supported it - but I also agree with you that behind closed doors, there is likely a few glasses being clinked with smiles on faces when this is mentioned.

Re:This reminds me of WW 1

[oliverthered]

haven't you read the bible?
god is unchanging: the only thing unchanging is the truth.
the truth is always right,
the truth is always righteous,
if you have good reason then you are innocent.
the innocent, the lamb.
god is love ergo the truth is love.

let no man buy no sell least he have the mark of the beast.

Re:This reminds me of WW 1

[Anonymous+Brave+Guy]

I do wonder where it will all end.

That one is fairly easy, actually.

First, a significant number of those who have been involved in the recent DDoS mess will be hunted down and thrown to the wolves as examples. It won't be the guys who set it up, who are hiding behind their anonymising proxies and not actually taking part in the DDoS attacks personally. A lot of young troublemakers/curious geeks* will suffer for playing along.

(* Delete as applicable)

Over the coming months and years, increasingly draconian lock-down of the Internet will follow. Wikileaks have helpfully provided the politically credible stick that major governments such as the US have been dying for to impose this on an international scale, and the end result of Wikileaks and its "supporters" acting like children will be the world's major governments treating us all like children and thus making things worse for everyone. It will be like all the security theatre (with the occasional genuine measure going by almost unnoticed) imposed after events like 9/11, because you can do anything as long as you're "fighting terrorism" now.

One consolation we have is that most of the government measures will in practice probably be miscalculated and ineffective because they will be politically driven rather than planned and implemented by people with actual clue about computer security, which means they will hit stumbling blocks when serious money and/or international concessions are required to implement them. However, those who just want to continue using the Internet freely and responsibly will probably still have to live under the perpetual threat of coming up as a false positive on the wrong government agency's or ISP's automated system and being messed around as a result, even though they have done nothing wrong according to the new laws. Naturally, the most likely candidates for such treatment will be those in minorities, such as people who don't just run $DOMINANT_PLATFORM on the $FORTUNE_500_VENDOR hardware they bought from $MAJOR_NATIONAL_STORE_CHAIN.

Finally, the one thing that will almost certainly be seriously compromised is on-line anonymity. This will no doubt still be achievable but probably only with a much more serious level of skill and understanding than most script kiddies ever have. Whether this is a good thing or not is open to debate: about the only worthwhile information we have learned from the Wikileaks fiasco is that the actions of both sides stink to a significant extent but neither side is really as bad as the other makes out. Most people going about their daily lives seem to be getting bored of the whole affair already. The media here in the UK certainly are.

Re:This reminds me of WW 1

[MobyDisk]

This came-up in the other Slashdot discussions and I am compelled to post it here too since this misinformation seems to have stuck. Comcast did not put any restrictions on Netflix. Comcast and Level 3 communications (who happens to host Netflix) had a peering agreement, which Level 3 violated. It has nothing to do with freedom, or network neutrality, or Netflix.

Re:This reminds me of WW 1

[The+End+Of+Days]

Haven't you read Stranger in a Strange Land? It's equally (in)applicable, but it's a much better story.

Re:This reminds me of WW 1

[oliverthered]

well, seeing society is based on a adoption of the bible by the church, and then government, as a means of controlling the populous.

I think the original source of western government is very applicable.

Re:This reminds me of WW 1

[sciurus0]

Comcast and Level 3 communications (who happens to host Netflix) had a peering agreement, which Level 3 violated.

That description of the Comcast and Level 3 dispute is too simplified. You might find two articles informative.

Re:This reminds me of WW 1

[oliverthered]

look at the bible as such,
an attempt at social revolution, and the overthrow of those in power.

god is a metaphor, though some would personify it as a mode of misdirection and a method to overpower you with the will of a false god.

Re:This reminds me of WW 1

[icebike]

Perhaps we should be pointing out that the problem here is the DDoSers, not their victims.

And since the DDosers are the problem the fight should be taken closer to them, rather than starting at the target and working backwards. (Avoid fighting on your own turf, take the battle to the attacker's back yard).

Its like we need a DNS system for attack (load) management, where a site could simply broadcast that they are under heavy load (whether it is an actual attack or simply a slashdoting), and routers all over the net would stop sending repetitive traffic their way.

When backbone carriers get this notification they immediately start filtering sustained packet streams. Additionally they send the warning to each of their pairing partners, and ISPs for which they are an upstream.

If the carriers insisted that each of their subscriber ISPs established and use such system to heed load warnings and start automatically filtering repetitive traffic for those sites the system would pretty much manage high sustained attacks.

So you need something where joe sixpack sitting on his compromised computer reading his email would not have to even be aware that the ping flood running in the background was being killed off by his ISP. (I'm sure the DDOS attacks are more sophisticated than a ping flood, but the point stands. Sustained non-productive traffic can be distinguished from a web hit, or email check or gaming activity).

We use DNS like systems for spam signature detection, surely we can find a way to do it for routing of sustained high-load traffic.

Re:This reminds me of WW 1

[icebike]

Exactly.

I posted something similar above.

The process of detecting what might be a DDOS would trigger an arms race. I therefore suggested that any sustained non productive traffic to a site that ADVERTISES that it is under sever load (attack) would be filtered as close to the keyboard as possible.

Doesn't have to be on the customer's premises, but certainly at the ISP.

Any sustained repetitive traffic to addresses on the advertised list get a second look, or a throttling or something.

If done at EACH level (ISP, UPstream ISP, Carrier, etc) and if there were a method of sever load advertising, DDOS attacks would get flattened quickly.

 

Re:This reminds me of WW 1

[cheater512]

Your post seems to indicate a fundamental lack of understanding how routing works. And what DNS does for that matter too.

Oh and even if your DNS DDoS prevention technique worked, you'd just DDoS the DNS server and the site would go down anyway.

Re:This reminds me of WW 1

[matthiasvegh]

This however, is against all network neutrality stands for. Don't. Touch. My. Traffic.

Re:This reminds me of WW 1

[The+End+Of+Days]

Deliberately harming the network is far from neutral, and arguing it should be allowed in the name of freedom isn't going to win you any adherents over the mental age of 14.

Re:This reminds me of WW 1

[icebike]

On the contrary, It might be I know a thing or three about DNS that you haven't' figured out.

There are several examples already in existence of using slightly modified DNS servers for a totally different purpose.

After all, DNS is nothing but a lookup engine and a very fast one at that.

One of the spamassassin plugins of a few years back was called URIBL which used a basic dns engine to look up links sent via email to help determine if the email was spam. It basically did a DNS hit on any URI using custom DNS servers which returned a specific ip indicating the probability that the uri spam. Similar technology is used by Cloudmark on a customized hash of suspected spam content.

The point is the DNS lookup engine is a very quick way to get an IP (or anything else) given a specific input.

Since it need not be done in-line it would not slow down traffic or mess with any DNS servers.

The router simply notices a lot of one way traffic to a specific IP from one or more IPs behind it, and sends a request to the customized query engine. That engine returns a status that the target has advertised itself to be under attack. The router then starts throttling that traffic.

I speculated that such a query engine could be more quickly built out of DNS technology in order to avoid re-inventing the wheel, simply because it is ubiquitous and well understood.

So, none of your dire predictions would come to pass, because checking IPs for presence in the "Under attack" database would a) not need to be done in real time, and b) have nothing at all to do the the existing DNS service.

Re:This reminds me of WW 1

[icebike]

I'm not sure any rational adherent of network neutrality espouses the freedom to use the net as a weapon of attack.

You've already violated your terms of service once you launch such an attack. So you've already agreed that such actions on your part are sufficient to kill off your traffic.

If you happen to be a clueless pwned windows user, only the backdoor running on your box would have its traffic blocked, an even then, only when it was participating in a DDOS against a site that advertised that it was under attack.

I just don't see the problem here.

Re:This reminds me of WW 1

[afxgrin]

Uh - doesn't sound like anarchists to me, these guys sounded pretty hell bent on Serbian nationalism in my opinion. Anarchism =/= Nationalism. And really, since when did showing opposition to financial institutions that really seem to be only serving themselves become such a bad thing? The powerful and wealthy are creating laws to basically benefit themselves, creating as many layers of protection from those that would dare show a physical presence on the street. The giant bailout packages, the fancy police toys, the UAVs, the billion dollar trade summits, the snatch-and-grabs of political dissidents, demonstrate exactly how the gravy train works.

"Black Hand was founded on the 6 September 1901."

Oh wait you wrote "an anarchist", as in, the assassin himself: Princip wasn't even born until 1894.

What was the point you were trying to make again? That you haven't read the long history of European anarchism?

Re:This reminds me of WW 1

[totally+bogus+dude]

But how would throttling the repetitive requests help? The whole point of DDoS attacks is that the attack requests aren't trivially distinguishable from legitimate traffic the site wants to serve. (For naive attacks they probably are; but in an arms race, the requests will just be modified to be harder/impossible to distinguish from real sessions). If the routers start throttling all traffic to the site under attack then it can no longer serve legitimate requests. Mission accomplished: service denied!

An additional problem is that this requires companies to invest resources to protect other people's networks.

Re:This reminds me of WW 1

[somersault]

only possible under the com/net/org/us/gov/mil TLDs

Whew, so not many sites, and nothing that important then?

Re:This reminds me of WW 1

[somersault]

Yeah, with a large botnet it would be pretty hard to tell what is legitimate traffic and what isn't.

I think the priority concern should be stopping these botnets being created in the first place. At least then if an organisation wants to DDoS a site, they have to do it with their own resources, which would be difficult and expensive.

Re:This reminds me of WW 1

[zippthorne]

god is unchanging: the only thing unchanging is the truth.

I've said this about 1984, but it's equally applicable here: Please read the Bible before making comments about the Bible.

Or at least, failing that, read the Torah, which is included as the first few books of the bible.

Or at least, the first book of the bible.

Or at least, the first sixth of the first book of the bible.

That being said, "Noah."

Re:This reminds me of WW 1

[Saint+Stephen]

http://www.google.com/m/search?oe=UTF-8&client=safari&hl=en&aq=f&oq=&aqi=-k0d0t0&fkt=34297&fsdt=38369&q=wwi+assassination+of+franz+ferdinand+%2Banarchist

Re:This reminds me of WW 1

[Yvanhoe]

The Botnet Era (tm) has been brought to you by the Microsotf (tm) corporation. Glad you enjoyed it. Good luck escaping it.

Re:This reminds me of WW 1

[Feinu]

Source? Not at all. Cause? Yup.

Wikileaks is undeniably in the chain of events that led to the "revenge" DDoSs. However, claiming that they "caused" the attacks implies that they are partly responsible, which I don't feel is accurate.

Summarised chain of events: Wikileaks releases big leak > governments complain > Amazon, Paypal, Visa terminate Wikileaks's service; Wikileaks gets DDoSed > sympathetic third parties DDoS Amazon, Paypal and Visa.

That's quite a few steps to imply causation. To use a car analogy, it would be the equivalent of claiming that one traffic light's timing caused an accident three intersections down the road.

Re:This reminds me of WW 1

[afxgrin]

Most of those search results are quite weak as a response. Many say Anarchist/Nationalist - which is just hilarious. They're basically equating nihilist Nationalists to Anarchists by those statements. Which yes, at the time, many Nationalist leaders - Mussollini for one - were once anarchists. It was quite clear these guys were nationalists, everyone else cites them as that - except for the first search result - which is a slide presentation that makes the claim they were anarchists, without a citation.

Re:This reminds me of WW 1

[daid303]

It won't be the guys who set it up, who are hiding behind their anonymising proxies and not actually taking part in the DDoS attacks personally.

The dutch hacker that organized the attack on the dutch police site got taught Saturday. They released him today, but he could face up to 6 years in prison.
Apparently he didn't want to hide the fact that he did it, he is only 19 so I don't think he knew he could end up in prison for that long.

Re:This reminds me of WW 1

[drinkypoo]

To use another analogy. A small kid at a school is getting picked on by a bunch of other kids. His friends step in and try to set things right. Is it the small kid's fault that his friends got into an altercation? No. Is he the cause of it? Yes. Indirectly, he is the cause of the other kids jumping in to save his bacon.

Congratulations asshole, you just blamed bullying on the victim.

Re:This reminds me of WW 1

That might seem reasonable at first, but don't you rather think it's the bullies that cause the friend to have to step in and set things right? I, for one, don't think it is reasonable to point to the victims of bullying and saying "it's his fault". If there's blame to de distributed, the bullies should get their share of it - and "their share" is usually all of it.

Re:This reminds me of WW 1

[LordLimecat]

A DDoS against a webserver ISNT detectable, because it technically IS legitimate traffic. Youre generally not going to spam garbage down the connection if its just going to get blocked at the firewall; far better to send legitimate requests, but never listen for an answer, or spoof the address-- thus, 1 byte of request gets 1 byte (or more!) of response, PLUS the server has to process the request.

The thing is that a properly done DDoS is generally NOT going to be detectable by simply looking at the traffic sent, and once its arrived its already done the damage.

Re:This reminds me of WW 1

[Quiet_Desperation]

A small kid at a school is getting picked on by a bunch of other kids. His friends step in and try to set things right. Is it the small kid's fault that his friends got into an altercation? No. Is he the cause of it? Yes. Indirectly, he is the cause of the other kids jumping in to save his bacon.

The prime mover here is still the bullies. No bullies, no problem.

Re:This reminds me of WW 1

[Saint+Stephen]

I'll see if I can find a reference to the book I read. There were lots of similar asssination attempts in the late 1800s by anarchists. It all came out of some book they all liked....

"The common man killing the king" was some romantic notion all these guys had. At the same time, there were other things going on... It was a regular history book...

Re:This reminds me of WW 1

[Saint+Stephen]

Here you go.

http://en.wikipedia.org/wiki/Propaganda_of_the_deed

Re:This reminds me of WW 1

[Saint+Stephen]

The mods here on Slashthink never start to amaze me. The kind of knee-jerk groupthink that is represented by "Anonymous" is uniformly represented by the (predominantly young) people here. It so much reinforces what I said in the GP comment. "NO! The idea that an anarchist had anything to do with WW1, is laughable! We must beat all such facts into the ground with our mods!"

I'm really glad that this "pervasive nastiness of thought" so prevalent on the internet is getting the broad light of day in the wider world.

Re:This reminds me of WW 1

[DavidTC]

Spoofing addresses should not be allowed. Networks should not let packets with source addresses outside their network on the internet in the first place.

Re:This reminds me of WW 1

No, just that it's hardly a representative of "the internet" which the US does not under any objective analysis control. This isn't exactly novel; I remember the US control of those TLDs being commonly mentioned back in 1994. In fact, this is a prime example of the internet working as designed. Thank all the shortsighted morons for registering their domains under US jurisdiction.

Re:This reminds me of WW 1

[definate]

Also, you have to accept the request, to know its repetitive and then throttle it.

Also, throttling would require routers further out for you to do the work, or for you to setup a really expensive decentralized network (like Google).

Re:This reminds me of WW 1

[flyingsquid]

There's also a certain irony in saying that you're fighting for freedom of speech by shutting down other people's communications.

Re:This reminds me of WW 1

So are you the person who gets to define what non-productive traffic is?

A root DNS server's "productive" traffic is much different than a website, an IRC server, your home PC, a router, et cetera.
Hell, speedtest.net's testing sites would also be different.

Good luck with that.

Re:This reminds me of WW 1

[icebike]

I seriously doubt speedtest.net or root dns servers would report themselves under attack. My hair-brained scheme only kicks in if a site reports traffic loads they can't handle, or attacks.

As for non-productive traffic, DDOSers go out of their way to make sure no traffic returns. (As it cuts their available DOSing bandwidth). There are ways to detect this.

Re:This reminds me of WW 1

[icebike]

But how many of these 16year old kids are doing "properly done DDoS" attacks? (never mind the oxymoron implicit in the quotations.)

Most DOSers don't want a return. Most go out of their way to be sure there won't be a return.

Re:This reminds me of WW 1

[icebike]

Exactly.

Yet this happens all the time.

Re:This reminds me of WW 1

[ogl_codemonkey]

But the concept is still flawed - implementing this would just create another way to take somebody offline by convincing their router, their ISP's router, etc. that they are participating in a DDoS, and let their own system do the work for you.

It's also assuming that the ISPs and carriers themselves care about the ethics of the traffic they carry at least as much as their customers do; which is plainly false in many cases.

The point is that there is no public, dynamic system yet conceived to implement such behaviour that would not be subject to some layer of 'trusted' input being misused.

Re:This reminds me of WW 1

[jc42]

A small kid at a school is getting picked on by a bunch of other kids. His friends step in and try to set things right. Is it the small kid's fault that his friends got into an altercation? No. Is he the cause of it? Yes. Indirectly, he is the cause of the other kids jumping in to save his bacon.

The prime mover here is still the bullies. No bullies, no problem.

There is an old distinction between "proximate cause" and "ultimate cause" that applies here. Google the phrases.

Re:This reminds me of WW 1

[badkarmadayaccount]

Throttle down the chain - access will be slow, but certain. The service can blacklist invalid sessions and inform the network about it, cutting off the nodes creating problems.

Re:This reminds me of WW 1

[badkarmadayaccount]

Wars object is more perfect peace.

Re:This reminds me of WW 1

[badkarmadayaccount]

Verify and encrypt, PKs in DNS records, the network control protocol for anti-DDoS.

Re:This reminds me of WW 1

[badkarmadayaccount]

Sorry for self-replying. The certs verifying The DNS records, and the certs distributed via DNS are signed by the hosting provider cert, which is in turn signed by upstream ISPs. If a hosting provider allows abusing the trust the hosting space brings, the hosting provider cert is revoked, leaving him without DDoS protection. So he has to choose - host DDoS attacks, and get hit by them (rendering the aforementioned hosting pointless (oh the irony, a DDoS server host gets DDoSed by a botnet)), or keep it clean making sure that DDoS attacks don't go in or out. If he tries to make a business model out of DDoSing, assuming there is no one able/willing to attack, the hosting provider just gets blackholed.

Re:This reminds me of WW 1

[ogl_codemonkey]

I'm not entirely sure that I'm following your proposal; are you saying that we should implement some Internet-wide hierarchy of traffic-control trust up to 'DNS root server' level, and allow the 'blackholing' of networks that don't adhere to it?

What if your ISP doesn't adhere to it (I can't get mine to add reverse lookup from the static IP block I've had for nearly 3 years to my own domain...), or their implementation is buggy? Or 30 users in your subnet get infected (or 'volunteer')? If your ISP doesn't catch it in time is it okay for their upstream(s) to revoke them?

How about if you have a /22 and private cable all across your town - who signs your key if you want to negotiate peering with the local telcos, who won't deal with you without it?

When does this information get looked up? By any (every?) edge or core router before a packet is allowed through? Just TCP SYN? Drop it or reject it?

Assuming this is an edge-router solution, what if the look up is done by a host that doesn't use their direct "superior"'s DNS servers? Or if there is no clear 'upstream' at the time the packet hits an edge router? Are you suggesting reverse-DNS lookup to get the source network name, then forward DNS lookup for the domain 'DDoS status' authority server, then a second forward request for this DDoS-participant status, any or all of which may have to fall all the way back to the root servers?

Or is this based on traversed routers; so we can start with a reflected 'trace route' and verify everything on the hops back to the source?

Revoking certificates via DNS is another time sink, since I understand that you're suggesting a server host their own 'DDoS safe' certificate and the public key they use to sign data (signed by their parent...?)

To revoke trust from a signature, it would have to be regularly (within 'response time for DDoS attack') validated by re-requesting the possibly available revocation certificate from the network's 'parent'. Since the parent may be the one that is compromised (and bogusly revoking certificates, for example, also thusly denying service to and from any 'subservient' networks), this would have to force an un-cached validation up to 'root' to be secure.

Revoking a signature means nothing if there is any way the un-revoked signature could be accessed for a meaningful amount of time in the context that it's used in. Since DNS is made for (and scales by) delegating responsibility to the lowest-possible authority, and aggressively caching without revalidation, I think you're looking in the wrong place for the answer to this solution.

Oh, also - DNS works largely over UDP; so would that be exempt from DDoS protection (read: vulnerable), or would every UDP packet (validation request...) also be subject to this validation?

I hope you've got a much better idea about this than I do, because when I was, err... discovering networks in my younger years, I found plenty of routes that:
a) have no identifiable parent - they can be accessed from multiple networks, and route directly to multiple networks with no distinct hierarchy
b) have no meaningful reverse DNS or whois records
c) traverse networks with 'private' IP ranges internally
d) seem to traverse multiple (sub-)networks with some externally-invisible encapsulation
e) reset or otherwise tamper with TTLs
f) plainly not forward entire protocols, port ranges, or other stuff at random, and expect (contract?) their peers to route around it
Hrm, most of my discovery of these behaviours could probably have been detected as some kind of attack, should anyone have been monitoring for it. Perhaps I should have set the 'evil' bit...

Also, keeping in mind that many core networks must allow traffic from any (or at least, very very many) source to enter at any edge (as those networks are likely to have other peering arrangements as well), the bulk of traffic cannot be trusted to have been validated in-route; as 'children' may just use source address ranges from 'sibling' networks for their DDoS attacks.

Re:This reminds me of WW 1

[ogl_codemonkey]

It's late, and I'm feeling old and grumpy; please don't take anything I say personally.

I'd like to believe there was a simple and effective verification system that could be built into existing technology; but I just don't see it working in what I've read here.

The thought I had while writing this was to look more in the direction of an authentication-required 'public' VPN. Users could subscribe to one of (m)any Kerberos or equivalent authentication providers, which could sign tokens to allow access (routing) onto participating 'genuine traffic' networks. High- or guaranteed-uptime services could then 'simply' be hosted on such VPNs, with transparent access to anyone with an account with an associated authentication service. Will sleep on that idea, but I like the voluntary association and independent implementation possibilities. ... and keep off the lawn ;)

Re:This reminds me of WW 1

[badkarmadayaccount]

War's object is more perfect peace.
PS I think slashdot ate my previous attempt at posting this, but I'm not certain, so please excuse me for dupes.

Re:This reminds me of WW 1

[badkarmadayaccount]

I'm not entirely sure that I'm following your proposal; are you saying that we should implement some Internet-wide hierarchy of traffic-control trust up to 'DNS root server' level, and allow the 'blackholing' of networks that don't adhere to it?

No. The certificate for routing requests is hosted on the domain local DNS. Verifying DNS requests is DNSSECs job.

What if your ISP doesn't adhere to it (I can't get mine to add reverse lookup from the static IP block I've had for nearly 3 years to my own domain...), or their implementation is buggy? Or 30 users in your subnet get infected (or 'volunteer')? If your ISP doesn't catch it in time is it okay for their upstream(s) to revoke them?

Yes. That's practically hosting botnets, though distributed filtering should mitigate compliancy issues.

How about if you have a /22 and private cable all across your town - who signs your key if you want to negotiate peering with the local telcos, who won't deal with you without it?

You sign it and host it on your own DNS, or set up your router to support it (probably will be mandated by peering contracts).

When does this information get looked up? By any (every?) edge or core router before a packet is allowed through? Just TCP SYN? Drop it or reject it?

Periodical poling by, or explicit notification of, the relevant nodes, generally opportunistic.

Assuming this is an edge-router solution, what if the look up is done by a host that doesn't use their direct "superior"'s DNS servers? Or if there is no clear 'upstream' at the time the packet hits an edge router? Are you suggesting reverse-DNS lookup to get the source network name, then forward DNS lookup for the domain 'DDoS status' authority server, then a second forward request for this DDoS-participant status, any or all of which may have to fall all the way back to the root servers?

The host does not perform the look-up - the edge routers do. Get the [IP(s)][port(s)] (one reverse look-up), and check on the general (rather large, though - probably cached along the way) routing status based on DNS - one look-up. Hmmm... I guess so, you're right, but would the be a real issue?

Or is this based on traversed routers; so we can start with a reflected 'trace route' and verify everything on the hops back to the source?

No, though I guess it could be adapted... I think...

Revoking certificates via DNS is another time sink, since I understand that you're suggesting a server host their own 'DDoS safe' certificate and the public key they use to sign data (signed by their parent...?)

Correct, the data in question is just routing requests/distributed filtering protocol transmitions, the certificate key is distributed by DNS, I see no point of signing them, DNSSEC would do a fine job of verifying them.

To revoke trust from a signature, it would have to be regularly (within 'response time for DDoS attack') validated by re-requesting the possibly available revocation certificate from the network's 'parent'. Since the parent may be the one that is compromised (and bogusly revoking certificates, for example, also thusly denying service to and from any 'subservient' networks), this would have to force an un-cached validation up to 'root' to be secure.

The network itself revokes certs based on a combination of policy and behavior. Privilege levels would be handy for different external hosts.

Revoking a signature means nothing if there is any way the un-revoked signature could be accessed for a meaningful amount of time in the context that it's used in. Since DNS is made for (and scales by) delegating responsibility to the lowest-possible authority, and aggressively caching without revalidation, I think you're looking in the wrong place

Re:This reminds me of WW 1

[badkarmadayaccount]

It's cool, mind sharing a... very nice cigarette on that lawn of yours :P.

Re:This reminds me of WW 1

[oliverthered]

I have actually read the bible.

Do you know how to read?

Have you studded any psychology?

Re:This reminds me of WW 1

[oliverthered]

you seem to have a problem with the new testament?

Operation Payback never hit DNS hard

[Vekseid]

The people attacking Wikileaks did. Wikileaks' troubles would be nigh irrelevant without the omnipresent glaring vulnerability that is DNS. The mirrors would all be signed wikileaks.org and the client would choose the closest available. Or something to that effect.

Some of the reported DDOS vulnerabilities were dead even before they were released to the public. Sockstress? Meet connlimit.

Re:Operation Payback never hit DNS hard

[phantomfive]

Do you have an idea for getting rid of DNS? Because as far as I can tell, it's pretty important.

Re:Operation Payback never hit DNS hard

[Pseudonym+Authority]

Giant HOSTS files. I want one of them there big checks like theys have on the tee vee shows.

Re:Operation Payback never hit DNS hard

[TecKnow]

Limiting connections from a host or network can have its uses - or be an incredibly bad idea - but it doesn't have anything to do with sockstress or slowloris style approaches in particular. these approaches minimize the cost per connection for the attacker, limiting the number of connections in no way lowers that proportional benefit.

Limiting the number of connections per host or network can just make an attack more successful.. For example the dorm I lived in when I started grad school was NATed behind a tiny handful of IP's, with source connection limiting now one or a few attackers can deny service to the entire building.

Tired of this term...

"sympathizers", when has this word ever been used in a good way
Nazi sympathizers
Russian sympathizers
Terrorist sympathizers

It's a term used to describe supporters of those who you think of as bad.
A neutral term would to be used is simply "supporters".

Re:Tired of this term...

[igreaterthanu]

As an AC sympathizer, I agree.

Re:Tired of this term...

Right, being a jock supporter is real neutral...

Re:Tired of this term...

Or hooligans.

How could they not progress against a known threat

[DJRumpy]

I'd say there has been some progress. Although they may have taken down sites like Mastercard, which doesn't normally deal in high volumes of traffic, they apparently had no effect on Amazon that I could see. I tried it throughout the day that Anonymous stated they would target Amazon, with nary a pause or hiccup.

Is DDoS a crime?

[Wolfling1]

If I were to arrange a thousand people to turn up at the corporate headquarters of Visa, and then simply sit down on the ground outside the main doors, would it be a crime?

So, how can it be a crime if I achieve the same thing in cyberspace?

Re:Is DDoS a crime?

Because this "sit in" is disrupting business. In your analogy you conveniently leave out that you are stopping the flow of business and halting people going about their own lives.

Re:Is DDoS a crime?

[Raptoer]

If you do so in an attempt to harm or otherwise deny access, then yes, it would be. It's more akin to getting a thousand people to sit outside their building and forcefully block anyone who tries to come in.

Re:Is DDoS a crime?

[RandomAdam]

The same was as the physical act will be made into a crime... Some officer of the law will ask you to move and when you don't then you are arrested for failure to comply with an officer of the law, which is barely a step away from resisting arrest when you protest that this is a ligitimate protest...

Re:Is DDoS a crime?

Yes.
Trespass.
Causing a public nuisance.

But here is a thought. Try it sometime. See how many people you can get to turn up.

Re:Is DDoS a crime?

[MysteriousPreacher]

Depends on the country, but yes indeed probably would be a crime to get 1000 people together and have them block access to the Visa headquarters. Protest is not the same as physically obstructing access.

Re:Is DDoS a crime?

No it's not.

It's like a crowd gathered in front of a service window all trying to get an order - only most of them asking for things they don't offer there. Now you as a legitimate customer need to get through that crowd to get to the window and make your order.

Re:Is DDoS a crime?

[ToasterMonkey]

If I were to arrange a thousand people to turn up at the corporate headquarters of Visa, and then simply sit down on the ground outside the main doors, would it be a crime?

So, how can it be a crime if I achieve the same thing in cyberspace?

If you prevent people from entering/exiting the building, or do that on private property without permission, yes. There isn't so much as a sidewalk to stand on in the Internet as far as public space goes, so good luck with your analogy.

Re:Is DDoS a crime?

[Lord+Kano]

If I were to arrange a thousand people to turn up at the corporate headquarters of Visa, and then simply sit down on the ground outside the main doors, would it be a crime?

So, how can it be a crime if I achieve the same thing in cyberspace?

It would be a crime if you did that at an abortion clinic. 10 years in Federal prison and $100K+ in fines.

LK

Re:Is DDoS a crime?

If they are blocking commerce, they can be removed. Criminal trespass arrests usually empty the streets out of people doing a sit-in, and gives an added bonus of felony-hard charges should they even come near the place again (even if they protest on the sidewalk and not on the property.)

When push comes to shove, most places go into "arrest them now, they can sue later on in the courts and lose later" mode. Every four years, you will see this exact phenomenon in action during the DNC and RNC meetings during the US election year.

Re:Is DDoS a crime?

[rawler]

And that is a crime? I've been under the impression that that level of civil disobedience is more or less constitutionally protected in most democratic regimes?

That is, police can drive you away, but unless you use violence or threats, you cannot really be prosecuted?

Remember, the DDos-sources aren't really doing anything to the other visitors of the site or to the site itself. They are merely coordinatedly using the public services offered by the site, to the point of resource-exhaustion on the site. It's akin to forming a very long and slow-moving line in front of the office waiting to be served, and newcomers are expected to also wait in line, or give up.

Re:Is DDoS a crime?

[gsslay]

No it's not.

It's like a crowd gathering in front of a service window all trying to get an order - only most of them purposely asking for things they don't offer there, but repeatedly rejoining the queue with the same request.

If the company can tell who are the genuine customers, they can inform the rest that they are not welcome and invite them to leave. After which point they are trespassing.

Which is why DDoS is illegal.

Re:Is DDoS a crime?

In the Netherlands, where a kid was actually arrested for participating in the attacks, it most certainly is a crime to execute a denial-of-service attack. You can be punished with up to 1 year imprisonment or a 19,000 euro fine. It is, however, quite unlikely that the maximum penalty will be given.

See: http://wetten.overheid.nl/BWBR0001854/TweedeBoek/TitelV/Artikel138b/geldigheidsdatum_13-12-2010

Re:Is DDoS a crime?

In the UK, it would come under the Computer Misuse Act, though as just one of a group of participants and with no permanent damage, it's hard to see the penalty being harsh. I'd imagine a suspended sentence and "don't be so stupid, prole" would be standard.

Re:Is DDoS a crime?

[Requia]

Because this "sit in" is disrupting business.

That would be the entire point of a meatspace sit in as well.

how to fight off ddos attacks, in one step

1. take down slashdot :D

jk.

but seriously, many websites has fallen victim to slashdot!

Re:how to fight off ddos attacks, in one step

[alvinrod]

I think you've inadvertently stumbled upon the difficulties of fighting DDoS attacks. Sometimes it's just a flood of legitimate traffic with no malicious intent behind it at all.

Re:how to fight off ddos attacks, in one step

[L4t3r4lu5]

Sometimes it's just a flood of legitimate traffic with no malicious intent behind it at all.

I've heard of a phenomenon like this before. Someone posts a link on a popular IT news aggregator, and subsequently the server on the end of the link starts returning HTTP 500 errors.

I can't for the life of me remember what the phenomenon is called, though.

Re:How could they not progress against a known thr

The attack on amazon never happened. Of course even if it did happen it might not have done any visible damage.

Answer

[Haedrian]

No.

There you go.

Re:How could they not progress against a known thr

[Firewing1]

According to the Anonymous press release two days ago, they never launched an attack against Amazon:

After this piece of news circulated, parts of Anonymous on Twitter asked for Amazon.com to betargetted. The attack never occured.

After the attack was so advertised in the media, we felt that it would affect people such as consumers in a negative way and make them feel threatened by Anonymous. Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste.

DDOS = Digital Sit-in

[Palmsie]

A number of sources have begun describing DDOS attacks not as cyber-attacks but rather as digital sit-ins that are completely legal. A DDOS (Note the Distributed) is basically a ton of people visiting the site at once so that others can't. In essence, the unknowing visitor to mastercard.com is also contributing to the DDOS by merely visiting the already flooded site (albiet in a small way) just as an unknowing visitor to a bank is contributing to a sit-in by disrupting the flow of work. Their mere presence is making the work more difficult. However, there is nothing illegal about one person visiting a bank and standing there, just like there isn't anything illegal with a number of people going to a bank... at the same time. Ultimately, the question isn't "has progess been made" to stop DDOS attacks, but SHOULD there be progress to stop them? Sounds like an easy question to answer but in the case of freedom of expression, it makes the waters a bit more muddied.

Re:DDOS = Digital Sit-in

[Haedrian]

To continue with your analogy - I'm pretty sure its illegal to have thousands of customers in front of the bank clerks insisting that its their turn, and not allowing real customers to access the clerks - while the bank needs to thwart their efforts by hiring more clerks and paying extra funds for nothing.

Of course its a crime - you're removing people's access to a resource someone else is paying for.

Re:DDOS = Digital Sit-in

Most of the public places (banks by following your example) have set limit (published somewhere in said facility), how many people are allowed inside at the same time, at least in US.

Re:DDOS = Digital Sit-in

[Palmsie]

While I generally agree with the comments posted above (e.g. no loitering), I find this an interesting analogy to compare to DDOS attacks - an analogy, btw, that isn't mine, I've just seen it repeated a few times recently from people who are not simply being mindless talking heads to the fact that Anon isn't some elite/super-secret hacker group but rather 4chan being 4chan.

Re:DDOS = Digital Sit-in

[Duradin]

With a sit in, the protestor faces the (immediate) risk of arrest. With a sit in once they are asked to leave and they refuse it becomes trespass and the cops can be called in to clear them out. Not so with a DDoS.

Equating DDoS with sit-ins is a disservice to the sit-in as a valid form of protest.

Re:DDOS = Digital Sit-in

A number of sources have begun describing DDOS attacks not as cyber-attacks but rather as digital sit-ins that are completely legal. A DDOS (Note the Distributed) is basically a ton of people visiting the site at once so that others can't. In essence, the unknowing visitor to mastercard.com is also contributing to the DDOS by merely visiting the already flooded site (albiet in a small way) just as an unknowing visitor to a bank is contributing to a sit-in by disrupting the flow of work. Their mere presence is making the work more difficult. However, there is nothing illegal about one person visiting a bank and standing there, just like there isn't anything illegal with a number of people going to a bank... at the same time. Ultimately, the question isn't "has progess been made" to stop DDOS attacks, but SHOULD there be progress to stop them? Sounds like an easy question to answer but in the case of freedom of expression, it makes the waters a bit more muddied.

If these people were just visiting up the site and hitting the "reload" button repeatedly, you might make a case for this. But the "Anonymous" attack was using a custom crapflooding tool to DDoS their targets. They were not staging a virtual sit-in; they were holding a virtual riot.

Re:DDOS = Digital Sit-in

If I protest a brick and mortar by sitting down on the sidewalk in front of the building, and the customers who want to enter have to wade through, thats legal.

If I protest a web company by DDOSing, and all the customers who want to shop have to wade through my packets.. that is...

Wait.. those seem strangely similar.

Re:DDOS = Digital Sit-in

[Dachannien]

A number of sources

Are these neutral, independent, reputable sources? Or are they sources that have taken sides in favor of Wikileaks and the DDoSers and are trying to justify the act of perpetrating a DDoS attack?

Note that Julian Assange has already indicated that neither Wikileaks nor he approve of the DDoS attacks, first and foremost because they are a muzzle to free speech.

Re:DDOS = Digital Sit-in

[jc42]

I'm pretty sure its illegal to have thousands of customers in front of the bank clerks insisting that its their turn, ...

Actually, this sort of thing has happened repeatedly throughout the history of banks. It's called a "run on the banks", and typically happens as part of some economic disaster that makes people fear loss of their savings. To my knowledge, nobody has ever been arrested and charged with attempting to withdraw their funds from a bank. (Though if it has happened, it might be interesting to read about.)

Typically, banks and governments react to this by first trying to calm the population and convince people that they aren't about to lose their money. And sometimes, they will declare a "bank holiday" that shuts all the banks down until the PR campaign has calmed the population down. This can backfire, of course.

But people descending on a bank all at once and wanting access to their money isn't a hypothetical thing; it has happened on numerous occasions.

Re:DDOS = Digital Sit-in

[jeff4747]

A number of sources have begun describing DDOS attacks not as cyber-attacks but rather as digital sit-ins that are completely legal.

Sit-ins aren't legal.

A sit-in is a minimum of trespassing, with a few other charges depending on what you do and where you do it.

Re:DDOS = Digital Sit-in

[MachDelta]

So where does one draw the line between hitting F5 repeatedly, getting a drinking bird to do it for you, or running LOIC? Is the drinking bird illegal? Can you even prove LOIC was in use?

Re:DDOS = Digital Sit-in

[Nemyst]

I might be inclined to concede this for DDOS where 1 visitor = 1 person. Unfortunately, you simply can't ignore that a great proportion of the traffic in a DDOS comes from botnets, which are and should always be illegal. The dangers of a single person with control of a large botnet can be incredible for small sites - I've personally seen entire communities crumble because one single idiot was angered at the others and decided to take revenge.

I'm sorry, but I can't equate DDOS with a sit-in. We need to make progress in stopping those.

Re:DDOS = Digital Sit-in

[Duradin]

The people bending logic to its limits to make DDoS a valid form of protest won't care about trifling things like fire codes.

Re:DDOS = Digital Sit-in

[Duradin]

I thought Wikileaks doesn't approve or disapprove of the attacks, a tacit condoning of the attacks by not condemning them.

Re:DDOS = Digital Sit-in

[Pseudonym+Authority]

a tacit condoning of the attacks by not condemning them

Reads a lot like

by not supporting this bill, you are siding with the terrorist

Re:DDOS = Digital Sit-in

[Duradin]

Has Wikileaks told Anonymous to stop? Especially when it'd be in their "good guy" interests to do so?

Re:DDOS = Digital Sit-in

A number of sources have begun describing DDOS attacks not as cyber-attacks but rather as digital sit-ins that are completely legal.

My employers site get's hit by relatively many DDOS attacks. Now I consider what Anonymous are doing to be quite analogous with a site in, but most DDOS attacks are not. If somebody has a botnet of hijacked computers I don't really see how it could be compared to a sit in, but if everybody is just using their own computer then it could.

Judging from the fact that during most attacks against our services the top 20 sources of traffic come from servers sitting on 1gbit links I would imagine they are not really single people using their own computer to protest.

This will actually be the interesting case when law enforcements start cracking in to these kids. Anonymous is not doing as much bad as your average source of DDOS, but because of that they will also be trivial to track down. Nobody ever cared to study DDOS attacks against us very much since they'll never get to the source anyway, now they can because it's not a similar kind of criminal behind it, and my bet is that they will try to judge them as if they where very evil.

Re:DDOS = Digital Sit-in

[Haedrian]

I'm pretty sure that even if you hit F5 repeatedly, or get a drinking bird or a rock to do it for you - its still slower than LOIC.

Now I haven;t used LOIC myself, but from screenshots I saw you can apparently send your own message with the packets. So if you see an IP address trying to connect at a faster speed (as in, open up requests at a larger freqency) than would be humanely possible - then its probably LOIC. People don't mash F5 usually - and its still slower than an automated program.

Re:DDOS = Digital Sit-in

[L4t3r4lu5]

It's happened very recently, and was widely publicised, at least in the UK.

Images of queues outside Northern Rock branches

Re:DDOS = Digital Sit-in

[Ryxxui]

Since Anonymous is still performing these attacks, I would say that any of them still face the immediate risk of arrest. I sure hope they all understand that, though. I'm gonna feel really bad when every high school and middle school (and elementary school?) in America has one kid get arrested for participating in these protests/attacks.

Re:DDOS = Digital Sit-in

If the government didn't beat down and imprison people performing the type of sit-in you suggest, perhaps it would be a valid option.

As things are however, it is not valid, and you make no compelling argument why those requirements should make the difference between a legit sit-in and a non-legit sit-in.

Re:DDOS = Digital Sit-in

[jaredmauch]

Not really. If you are blocking the public right of way, you can be arrested. Most stores are on private property, not public so they can reserve the right to refuse service to you as well.

This is why those involved in sit-ins have been arrested in the past, and those on-strike have to 'keep moving' and can't just do their own sit-in.

Re:DDOS = Digital Sit-in

I'll probably get modded "Troll", "Flamebait", or something similar, but I'll deal with it, I've been called worse.

I seem to recall a "sit-in" was tried once in Tianamen Square, we saw how that ended up. I rather expect a similar reaction on the part of our corporate overlords, who, I might point out, are increasingly found to be doing a larger share of their business under (and modeling international policies to be compatible with) the business practices existing in the PRC. Of course, in many other countries, the loss of life will be less obvious, but the loss of livelihoods will be just as extreme, which amounts to more or less the same thing with less investment involved.

Anybody still think it's coincidence?

We need to find a way to conduct our affairs in a way that renders PRC policies irrelevant to the rest of the world.

NOW.

Re:DDOS = Digital Sit-in

[badkarmadayaccount]

Roadblocks, OTOH, AFAIK are legal, so just screw up a few major routers in stead, and you are in the clear, ethically.

Why are DDoS attacks hard to avoid anyway?

[Musically_ut]

If you are curious about the slightly deeper and murkier details, this will tell you why handling DDoS attacks is still difficult.

Re:Why are DDoS attacks hard to avoid anyway?

[citizenr]

http://slideshot.epfl.ch/play/ktn_katerina

no idea why u got modded flamebait :)

Re:How could they not progress against a known thr

[Haedrian]

That's because Amazon is designed to withstand such heavy use. If I decide to DDOS some server which usually gets 10-15 visitors a week, I probably won't need more than a single client.

Amazon (which apparently does hosting too) - is designed to take thousands upon thousands of concurrent connections at the same time.

Its not about progess - its like discovering that your i5 CPU can handle more spyware running at the same time than your Pentium MMX - its still the same method.

Re:How could they not progress against a known thr

aka, our attack failed, not even noticed by Amazon, so here's our attempt at saving face.

Re:How could they not progress against a known thr

More like millions, and let's not even get into Amazon's highly distributed architecture.

No more DDoS?

[Mr+Pleco]

Simple...

Stop linking to said site from slashdot. Then the DDoS will stop. =)

There's only one way

A DDoS is like a brute-force cryptographic attack. You can't design a (classical) cryptosystem that's immune to brute force attacks. You can only make it more resistant by increasing the number of keys.

Similarly, the only way to protect against a DDoS is by increasing your server capacity.

Ironically criminal botnets are helpful here...

[antifoidulus]

The article talks a lot about botnets, but how many botnets are actually involved in the wikileaks attacks? I haven't read about any and my bet is that there probably aren't a lot. Why? Simple, the purpose of most botnets has turned from fun into profit. 10 years ago most of the botnets were designed just to screw with people, delete files, open ports, ddos ebay etc. However over the past 10 years a lot of the creators of botnets have found that they can use the botnets to generate lots of cash by moving spam, selling information etc. I doubt that very many of them would want to risk subjecting their botnets to discovery and removal by getting involved in in such a high profile attack.

Re:Ironically criminal botnets are helpful here...

Unless they are getting paid in gold bars. Lots of precious gold bars. mmm

Re:Ironically criminal botnets are helpful here...

[John+Hasler]

However over the past 10 years a lot of the creators of botnets have found that they can use the botnets to generate lots of cash by moving spam, selling information etc.

No, they've found that they can rent out their botnets to people who generate lots of cash by moving spam, selling information, etc. If you've got the cash and are willing to spend it you can rent a botnet for your political DDOS.

Re:Ironically criminal botnets are helpful here...

From what I've heard there's solid reason to believe that Wikileaks was taken down by a Slowloris attack running from a single machine run by The Jester (ascii transliteration from l33tspeak). That would explain why the attack was not able to take down the much larger amazon cloud.

Re:Ironically criminal botnets are helpful here...

http://en.wikipedia.org/wiki/LOIC

Re:Ironically criminal botnets are helpful here...

[antifoidulus]

It's not a botnet if you voluntarily install and execute the attack code.

Re:How could they not progress against a known thr

[mysidia]

How could they not progress against a known threat

The threat is not of a static nature. DDoS attack methodology evolves, just like defenses evolve.

It's kind of like asking "How could the US not have progress against the terrorist threat?". Or "How could one side of a war not have progress against the other side"

If your opponent evolves faster than you do, then you have the opposite of progress. If they evolve at essentially the same speed as your defenses evolve, then you basically use a lot of energy and develop lots of new defenses, but are essentially standing still.

Origins of the internet

[girlintraining]

You all may recall that the internet was designed as a peer to peer network. It was assumed that every node would have equal access to a decentralized network with many interconnects and pathways between each. The rise of DDoS attacks and other vulnerabilities is a direct result of the internet being used for other than it was designed: Businesses have forced a "one to many" relationship, a client-server architecture, and uneven upstream/downstream ratios. The centralization here is the weakness, not the internet.

The internet wasn't designed to support the business and organizational models that now dominate it. The solution to the DDoS problem is to decentralize, and restore a peer-based communication model -- that is how it was designed to be used. Of course, we could sit here and debate how to "save" the internet from "hackers" who are using the strengths of the network to great effect to attack those who built their solutions without much mind to the foundation.

Slashdot effect

[sunderland56]

How do you differentiate a DDoS attack from the usual slashdotting of a web site?

Re:Slashdot effect

[Rinnon]

How do you differentiate a DDoS attack from the usual slashdotting of a web site?

One is intentionally malicious with the intent to bring down the site. The other is usually the Botnet on Autopilot.

Re:Slashdot effect

[n_djinn]

I am waiting for the punch line.....

Re:Slashdot effect

[MichaelSmith]

How do you differentiate a DDoS attack from the usual slashdotting of a web site?

DDoS attackers don't do normal http queries. They make an initial connection to the server and leave it dangling to later time out. The server supports a finite number of external connections and can be easily kept out of action.

Re:Slashdot effect

[Nursie]

Not necessarily true.

Attacks like Slow Loris rely on opening lots of connections and keeping them open, intermittently sending a byte or two of an http request to keep the server interested. You don't even need to be distributed to do that, one client can take down a server that's vulnerable to slow loris.

But that's not what's going on here. DDoS can be (and is in this case I think) lots and lots and lots of normal traffic from many different sources, flooding the pipes, overloading the server etc etc.

Re:Slashdot effect

[mother_reincarnated]

This might have been true in 1997 but it's certainly not anymore.

The most effective DDoS attacks are layer 7 attacks.
It is pretty easy to deal with layer 4 attacks, trivially so to deal with layer 3 attacks.

For DDoS attacks the harder to differentiate between an attacker and legitimate user the harder it is to protect against.

Re:Slashdot effect

[Grumbleduke]

How do you differentiate a DDoS attack from the usual slashdotting of a web site?

From a legal perspective you would consider intent and authorisation - at least, you would under English/Welsh law, specifically the Computer Misuse Act 1990. For this law to apply, the action must be unauthorised (or the accused unaware whether or not it is authorised) and the accused must intend to prevent or hinder access to some computer system.

The authorisation thing is a little tricky as general website use is a murky legal area (due to the web growing up without lawyers pawing all over it) - in a recent High Court case here, it was held that merely visiting a website could count as copyright infringement if the person browsing wasn't following the Terms and Conditions (even though they required visiting the site to see... yes, that doesn't make any sense to me either). In this case, the T&Cs of a website were found to be legally binding and the idea of an "implicit licence" was rejected by the court. As such, to not fall afoul of the Computer Misuse Act in terms of authorisation, there would need to be T&Cs on the site that specifically authorise /. ing, but not DDoSing.

Interestingly, /.'s Terms of Service (well, GeekNet's) - by which we are all bound - prohibits unlawful use (in section 2), but in this case, this would mean you couldn't know if /.ing or DDoSing was unlawful unless it was unlawful, which could lead to much fun for lawyers...

Having re-read your post, it occurs to me that you were probably asking from a technical perspective, in which case my answer is completely irrelevant. Damnit, I'm turning into a lawyer...

Re:DDOS = Digital Sit-in = Illegal

However, there is nothing illegal about one person visiting a bank and standing there, just like there isn't anything illegal with a number of people going to a bank... at the same time.

Actually, that is called trespassing and is very illegal, especially if you do not leave when they ask you to. While it is true that businesses are open to the public, that is not blanket permission. They are giving an invitation of, "come on in if you want to do business." If you don't want to do business, then you have no right to be there. Likewise, if you are accessing someone's network not involved in business with them, then you have no permission to be there and are violating the law.

Re:How could they not progress against a known thr

[Fex303]

According to the Anonymous.... [snip]

Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste.

Right, because Anonymous and /b/ in general are such guardians of good taste.

Re:How could they not progress against a known thr

[Duradin]

Of course they never launched that attack. They never tried and spectacularly (in its lack of effect) failed. To say that they tried would be admitting they were as effective as a gnat is against a freight train.

Re:How could they not progress against a known thr

[Shemmie]

In unrelated news, most of Amazon in Europe suffered an outage tonight. BBC story

Re:How could they not progress against a known thr

[Jah-Wren+Ryel]

Right, because Anonymous and /b/ in general are such guardians of good taste.

The wording is easy to misunderstand. The statement is meant to indicate that interfering with people buying Xmas presents for their kids would be seen to be in bad taste and thus counter-productive to their goal. Screwing with the backend payment systems makes customers pissed off at mc/visa/e-stores but directly blocking the e-stores makes people pissed off the DDOSers.

Re:How could they not progress against a known thr

Screwing with the backend payment systems makes customers pissed off at mc/visa/e-stores

[Screwing with] the e-stores makes people pissed off the DDOSers.

Does not compute.

Re:How could they not progress against a known thr

[bsDaemon]

"simply put, attacking a major online retailer when our parents are buying our christmas presents might affect us" -- what they really meant.

Puck

[Nethead]

And the NANOG list has been reading more and more like slashdot and less like an operators list for the last few months. Nice to see it come full circle with this article.

Yes.... and, no.

[VortexCortex]

Yes, "headway has been made heading off DDoS attacks".
ISPs & Hosting providers can now charge you large sums of money to ensure your pipes are big enough to handle a DDoS, thereby "heading off DDoS attacks" before they even begin.

No, this doesn't really protect you from a large scale botnet executing a reflective DDoS attack; The amount of protection is in proportion to the amount you spend on your pipes. Some providers offer automatic up-scaling via server virtualization, but this just means you get to pay for the big pipes after the attack.

So, in the face of a RDDoS in most cases the only advise is still: "Kiss goodbye your IP Stack, It's an SYN-ACK Attack!"

Re:Yes.... and, no.

[dropadrop]

In most cases I've found distributed DOS shields can't really scale over 10gbit/s, and even then they have to be manually started after noticing the attack vs. "heading off the attacks before they begin".

WRONG

[chronoss2010]

you got bads guts. THe injustices that continue unabated for the last 10-12 years int hte after amth of 9/11 are just rearing there ugly head. THIS is why it won't stop and you do not know much about hackers of any kind. THey never get paid so why then do they according to you exist. Studies show ..every race, religion , creed and of every walk of lif and station. ITS is in affect actual human nature to become or act like a hacker. THE degree is what is the issue. Matters it matters to me that copyright is out of control...IT matters to me people are dy8ing because of drug patents. IT matters to me that free speech and democracy are under attack by a few greedy people. DO YOU THINK IN THE END PEOPLE WILL JUST GIVE UP? Only a coward will give in and up. Only the chickens and greedy ones want you to be sheep. It only gets worse as kids and youth have fewer and fewer outlets and you continue to grow laws ontrees that are unjust and not needed.

Re:WRONG

[icebike]

You will either give up, grow up, or get caught.

Not necessarily in that order.

Once you get out of your mom's basement and discover girls you will find that your mission in life is not to police the world from the end of a wire.

Re:WRONG

[badkarmadayaccount]

Ad hominem attacks on the freedom fighters of the new generation, based on ancient and irrelevant to the matter stereotypes. I bow at at your discussion skills/

prevention is the best cure

[thej1nx]

Pretty easy. Make it standard for all OSs to default to updating/patching *without* prompting the user. I believe Chrome etc. do this already? A DDOS usually requires a botnet with lots of infected drones. And those in turn, usually require vulnerable un-patched systems. If someone actually wants the system to prompt them for applying updates, they can configure it so, instead of that being the out of box behavior.

Microsoft alone is responsible for majority of these. The old excuse of *this is because windows is most popular OS" is pure hogwash. When dozens of unix variants can update system components without requiring a reboot, it simply implies a horrible design on part of Microsoft. And the reboots and the required prompting for updates are what is responsible for at least half of the infected systems on internet. If the user needs to control the updates, it should be configurable, not the default. The reaction of your mom and pop, after seeing the usual "updates are ready" pop-up, is to simply ignore it.

Perhaps all that is needed is for someone to do an analysis of the compositions of Botnet systems and simply launch a class action suit against Microsoft. If they want to charge the public hundreds of dollars for a product that has a fixed cost and requires near-zero cost to replicate, they better be ready to provide a hell of a better product.

Re:prevention is the best cure

[swilver]

Automatic updates can break things.

Why would I want automatic updates?

1) So it can unexpectedly change look, remove "unpopular" features or add new "features"?
2) So it can suddenly start behaving differently, start crashing or not work at all anymore?
3) So it can start spying on me, or otherwise add features that were not in the initial version I installed?

No, thank you. I prefer to run the software *I* installed -- I already deal with enough stupid problems, and I donot want to deal with new ones when I arrive home and the stupid system decided to update itself.

Security updates be damned. Run a decent system to begin with and there will not be a problem.

Re:prevention is the best cure

[syousef]

Pretty easy. Make it standard for all OSs to default to updating/patching *without* prompting the user.

No thanks. I've seen too many "fixes" break much more than they fixed. I'm setting up a laptop at the moment and had to downgrade my version of Zonealarm because it broke my remote desktop, and downgrade my version of virtualbox because it broke network file sharing. Too many companies think they know better than the user then fail to do basic testing. Until quality control comes up out of the gutter, if you take away my ability to decide what is and isn't installed, I no longer have a use for your product. That's true of everything from the web browser to the OS to games to office suites. EVERYTHING.

Re:prevention is the best cure

[Amarantine]

Uh, several of these ddos attacks (at least in the Netherlands, where the police and government sites were being ddos'ed by teenagers) were made using LOIC, a piece of software that people install *voluntarily* to aid this kind of attacks. I'm not sure you can call these machines "infected", since the software has to be installed manually, and doesn't spread on its own like most botnet-malware. While i do not approve of that kind of software, i would not want an OS that cleans my system of software that i install myself, with or without asking.

Re:prevention is the best cure

Needing a reboot after a software install/update? ... I used to think the MS strategy was lousy - and I have a MainFrame and Unix background.... BUT, I have since found a rather valid reason for doing a system reboot after software update ... to verify that the system will boot, while the details of the update are fresh in your mind.
There is a real nasty shock available to *nix administrators who have done all sorts of minor updates over a period stretching back hundreds of days without a reboot.. next time you do a reboot, and the system does not restart things nicely ... which update (or updates) is the problem ??? Do you have a log of every change since the last reboot, and the time/skill needed to sort out the mess you now have?
It turns out that the while the MS forced reboot is often inconvenient and intrusive, it does at least verify (normally) that you have a valid system after applying the most recent set of changes. .....

Re:prevention is the best cure

[L4t3r4lu5]

Tell me of this OS which has never suffered from a privilege escalation bug, and still allowed you to watch YouTube and use Skype.

Facebook doesn't render well in Lynx. You need some leeway between security and usability, or your super secure OS will spend its time on a store shelf.

N.B. Don't tell me you don't use Facebook or watch YouTube; That's not the point. If your mom can't email your grandad with holiday photos on your OS, it's not for general use.

Re:prevention is the best cure

[L4t3r4lu5]

ZoneAlarm lost my support as a free Firewall solution in September over the whole "Global Virus Alert" scareware tactic. I recommend Comodo Internet Security now. Very configurable, easy to train, allows manual rule creation down to port level.

Re:prevention is the best cure

[daid303]

Pretty easy. Make it standard for all OSs to default to updating/patching *without* prompting the user.

As someone who just spend half a day fixing his Android phone because an update broke WiFi, I say, this is a BAD idea. Updates are off now, and will stay off.

Re:prevention is the best cure

[syousef]

ZoneAlarm lost my support as a free Firewall solution in September over the whole "Global Virus Alert" scareware tactic. I recommend Comodo Internet Security now. Very configurable, easy to train, allows manual rule creation down to port level.

I tried Comodo twice over the years. Both times it made my system crawl, and I had issues which were showstoppers (but for the life of me I can't remember the detail).

Re:prevention is the best cure

Nobody argued that user should not be able to configure the system to prompt the user for patches. I fail to see why you personally are affected if average mom-pop computer, which usually is the infected system, is updated without any prompting.

You want to run the software you installed. Fine. Configure it to be so, instead of expecting that to be the out-of-factory setting.

Nonsensical excuses like these are what are responsible for the botnets.

Re:prevention is the best cure

And if there is a worm going around that is guaranteed to infect your phone(say via emails), you would rather be infected and have your confidential data stolen? I see the wisdom in your approach.

Re:prevention is the best cure

[L4t3r4lu5]

I'm running it now on my Win7 box. Admittedly it's a gaming PC so hardly mom-and-pop check your email and play Farmville spec, but i've noticed no slowdown compared to the scarce few seconds I allowed my PC to be on the internet without a firewall while I downloaded it.

Re:How could they not progress against a known thr

They absolutely did try to take down Amazon and PayPal, despite what the "press release" said. AFAIK, there was no notable affect on Amazon, and any noticeable affect on PayPal was very brief in nature, outside of thepaypalblog.com.

Re:How could they not progress against a known thr

[MachDelta]

The backends of Visa and MC were never targeted for the exact same reason. Their corporate sites (largely symbolic, mostly useless) were taken down instead. Paypal is a bit of an exception, but they were too big for Anon to completely drag down. But they did manage to slow it and make their presence heard - Paypal released the remaining funds in Wikileaks' account.

Re:How could they not progress against a known thr

http://en.wikipedia.org/wiki/Red_Queen's_Hypothesis

For example, because every improvement in one species will lead to a selective advantage for that species, variation will normally continuously lead to increases in fitness in one species or another. However, since in general different species are co-evolving, improvement in one species implies that it will get a competitive advantage over the other species, and thus be able to capture a larger share of the resources available to all. This means that fitness increase in one evolutionary system will tend to lead to fitness decrease in another system. The only way that a species involved in a competition for resources can maintain its fitness relative to other competing species is by improving its specific fitness. (From Heylighen, 2000)

25 years going strong

[chronoss2010]

what is that again? the fact is: A) never do it from that basement ( um i don't live in one btw) B) know the tech to protect you....If you have been there 25 years i think you have a good idea.... C) Why worry about me when there are plenty a 4channers ya can stir up that can't do , understand or read A) or B) or care too. Let them do it. I still support what happened. Why would you want to grow up and be boring stiff and rigid and have no fun in life. IF you give up the other liberties are meaningless. ITS why i berate some of the smarter pirates for not making a stand long time ago when it could have mattered. NOW look at them....there best come from 4chan.... girls you mean women have had my share and i had more of them when in fact i was more active in "the scene" etc.... GO FIGURE , just more propaganda. WHY? cause you need to read the abc's of it to realize you dont sit at home doing jack. THAT means OMG going out into the world...MIGHT mean the neighbors phone line....etc.... I am not here to educate people....

MOD PARENT UP

[Spacezilla]

Much better analogy than the others.

AnonOps

http://www.anonops.eu/

We are Anonymous. We are Legion.
We do not forgive. We do not forget.
Expect us.

Anonymous Spam :P

http://www.anonops.info/
http://www.anonops.eu/

We are Anonymous. We are Legion.
We do not forgive. We do not forget.
Expect us.

Re:Anonymous Spam :P

u mad?

Re:Treating Us Like...

[TaoPhoenix]

Now that we see it a parsec away, can we stop it? I was too naive the first time around to see round 1 coming.

Unlike prior "scare excuses" this one doesn't have an end point. Notice this one is not "terrorists", but "treason" - a new verse in their song. Don't forget Copyright in the VP role for excuses to lock down the net. And yes, we have nice tasty locked down i-devices all ready in the wings.

Thought Experiment:
(Insert Applicable year) Can they ban Windows below Version 8 "as too dangerous in a post-Wikileaks world"?

Also in Tinfoil Hat territory, I'm far from convinced that this isn't being orchestrated by the gov with the material being sacrificial. Remember the key articles early on "this material has been fed to newspapers months ahead and diplomats have been preparing for the release"? WAY too fishy.

if your system scales indefinetely..

[gl4ss]

then you can fight it. not otherwise, since otherwise the attacker can always find more bots or willing supporters.

or do a distributed GIVING of service, then when one node gets slashed it doesn't matter as much. that's though what clouds supposed to be, in theory(in practice it's just shared hosting so not..)

Re:if your system scales indefinetely..

[bluefoxlucid]

Yes, exactly this. Dealing with a DDOS is like dealing with snow. You make better snow tires and AWD... except mother nature is a cuntbitch and just dumps 40 times more snow on you.

Re:Treating Us Like...

[Anonymous+Brave+Guy]

Now that we see it a parsec away, can we stop it?

The trouble is, I want the authorities to take action as a result of this. The way that governments and financial services have been mocked by a relatively small number of people over the past few days is absurd, and it's long past time we had more secure and verifiable communications over the Internet in general. I just want the authorities to take the right actions.

That is going to require expert guidance, because few people with the power to influence serious changes in this area have the necessary knowledge and understanding to make informed judgements by themselves. Unfortunately, I suspect the guidance the authorities actually take will be more political in nature, which is why I expect that lots of heat will be generated, but little light.

Re:Treating Us Like...

[Nursie]

The proper action to stop future leaks is three-fold.

1. Stop classifying anything and everything. Classified documents should be classified for a damn good reason.

2. Stop behaving like arseholes and then expecting secrecy to protect you. There should be no reason for politicians to be embarrassed because they shouldn't be pulling this shit in the first place.

3. Yes, improve security. But not without the other twqo steps, because then we'll just get better protection for corrupt ass-hattery.

Re:How could they not progress against a known thr

But they did manage to slow it and make their presence heard - Paypal released the remaining funds in Wikileaks' account.

I fail to see any evidence of a causal connection there.

Re:How could they not progress against a known thr

[Alex+Belits]

What is bullshit because if species were capable of depleting resources enough to "compete for resources" with other species, they would still deplete those resources after taking other species' place, and then will be extinct.

Species compete in ability to survive and reproduce, not in ability to leave scorched earth behind them.

Re:Treating Us Like...

[Anonymous+Brave+Guy]

I would suggest that there is a fourth essential point, which is to introduce enough credible oversight of genuinely classified materials that massive leaks aren't necessary to expose corruption in the first place. I'm all for keeping governments on the straight and narrow, but it simply shouldn't be necessary for organisations like Wikileaks to do it, regardless of the legal and ethical issues with their behaviour.

Method to block DOS attacks.

[John+Sokol]

I wrote this back in 2001, and it's still relevant!
http://www.dnull.com/dos/DOS-Block.htm

Running through something like a Citrix Netscaler helps filter out much if your lines aren't overwhelmed.
http://www.citrix.com/English/ps2/products/product.asp?contentID=21679

There are a few other companies that seem to have a solution, but this really looks more like a CDN with enough capacity and some filters to ride out what ever attack could be launched at them.

http://www.prolexic.com/index.php/why-prolexic/ddos-mitigation-services/
http://www.arbornetworks.com/stop-ddos-attacks.html

So... what happened to Slashdot?

[MorpheousMarty]

Where are the comments on how DDOS could defended against? I come to Slashdot for technical insight, I already have Reddit if I want the armchair commentary on the political/social situation.

Re:So... what happened to Slashdot?

[haus]

Given a 150+ post and no one has mentioned Arbor Networks, a company that primary purpose for being is preventing DDoS seems somewhat odd to me. Perhaps they need to get their PR folks working a bit harder.....

Re:Treating Us Like...

Wow... your 'point three' already contains the reason they WILL go with only point 3, and not the first two.

More like a parking lot filled with stolen cars.

[Khopesh]

A number of sources have begun describing DDOS attacks not as cyber-attacks but rather as digital sit-ins that are completely legal. A DDOS (Note the Distributed) is basically a ton of people visiting the site at once so that others can't. In essence, the unknowing visitor to mastercard.com is also contributing to the DDOS by merely visiting the already flooded site (albiet in a small way) just as an unknowing visitor to a bank is contributing to a sit-in by disrupting the flow of work.

A DDoS is more akin to a mall's overstuffed parking lot filled with protesters intent on preventing customers from accessing the mall. Same as a sit-in, right? Not once you note that the cars are all stolen and parked in a manner suited to consume spaces rather than maximize capacity. Many of the spaces are filled by large trucks. The trucks can be turned away at the gate and the egregiously parked can be towed/fined, but otherwise, the plates have to be run to determine which cars are stolen. Moving to the digital analogy, each of these is extremely hard, with the last of them being (currently) impossible.

Another analogy: this is a ticketed line at the deli (the red "take a ticket" device). A few people come by every few seconds and grab tickets until shooed away by the butcher. "Now serving" number 005. Your ticket is number 712. Are you going to wait? The analogy falls apart because the butcher is a human and smart enough to skip ahead rapidly as well as call the police to arrest the miscreants for trespassing. There is no digital equivalent, which is in fact the problem. The online version would be based on statistical analysis and wouldn't work very well, most akin to ... discrimination (racial profiling, "those damn kids," etc).

Ultimately, the question isn't "has progess been made" to stop DDOS attacks, but SHOULD there be progress to stop them? Sounds like an easy question to answer but in the case of freedom of expression, it makes the waters a bit more muddied.

This is a freedom of expression issue in the opposite manner; the attackers are suppressing the ability of everybody else to express themselves. That's more akin to "the squeaky wheel gets the grease" and ballot-stuffing. Nobody says the attackers can't say something and be heard. Like terrorists and children throwing temper tantrums, they are forbidden from amplifying their impact with attacks and other disruptive behavior.

We've been lucky so far that Anonymous has been sensible about their choice of targets, but even if that specific group can continue to show such admirable restraint, other groups might notice the impact it can have and any tolerance granted to it. Escalation is bound to happen. It is time to take action.

You can secure DNS all you want

[initialE]

It is still vulnerable to the whims of the US government, and they have shown that they are no longer taking a hands-off approach.

Re:You can secure DNS all you want

[badkarmadayaccount]

The Man doesn't own all of DNS - ccTLDs anyone? Nor do they have jurisdiction over anything not on their territory. They may as well revert to guerrilla warfare, if, say WikiLeaks relocates to Iceland, or better - private island. Oh, and all those soldiers marching to the base - napalm them, live on the web, with audio. Or an anti-nuclear bunker...

That's just it though: DDoS is very detectable

"A DDoS against a webserver ISNT detectable, because it technically IS legitimate traffic." - by LordLimecat (1103839) on Monday December 13, @10:24AM (#34534350)

Per my subject-line: If you see a flood of 1,000's of attempted connections coming from a certain IP address(es), especially non-internet routable ones (for return TCP communication - see list below), you can tell!

Tools such as using the netstat -an command in Windows (or GUI tools like TcpView by Dr. Mark Russinovich for example) can show you this much fairly easily...

So, when webserver/site stops responding due to so many connections (that are routed to NON-INTERNET ROUTABLE RETURN SOURCE ADDRESSES especially for return TCP communique)? You pretty much KNOW it's a DoS/DDoS attack!

That's HOW a truly powerful & effective DDoS/DoS really works!

I.E./E.G. -> It tells your IP stack that the transmissions for TCP communication are coming from a NON-INTERNET ROUTEABLE RETURN IP ADDRESS (which drives the IP stack nuts), such as:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

It's NOT just the amount of connections (iirc, Apache for example, is set, by default, to handle 1024 connections max... you can raise it though IF you have the RAM etc. resources), it's where they are allegedly telling you they are coming from, and non-routable IP addresses make this a nightmare for YOU, and your OS' IP stack (though MS has added registry settings that "drop" connections of that nature, especially when you CANNOT get a TCP return response handshake to occur).

(And, that's when you block them out at your perimeter firewall/router, if not in software firewalls also, and from where they are actually coming from (unless they are non-routeable IP Addresses that is), IF POSSIBLE. You keep doing it until the attack is nullified/abated (if possible, because with enough attackers, you'll be doing it all day long though)).

APK

P.S.=> Sure, /. itself has made sites go "belly-up" before too, by sending SO many folks at the site being "/.'d" it too can do ALMOST the same (except you can ID the connections as coming from actual ROUTABLE-TO-INTERNET IP addresses - THIS is the difference you can use in spotting what's legit, & what's not)... apk

Re:DDOS = Digital Sit-in = Illegal

[badkarmadayaccount]

So what, just escort me out (drop my packets), and it's all good. Now, on how exactly to drop them, well, that's not my problem.