Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Feature Helps Shield Websites From DDoS Attacks

Posted by Soulskill on from the anti-slashdotting dept.

An anonymous reader writes "Google has an interesting idea on how to take the edge off denial of service attacks. The latest developer builds of Chrome 12 have an option called 'http throttling,' which will simply deny a user access to a website once the browser has received error messages from the URL. Chrome will react with a 'back-off interval' that will increase the time between requests to the website. If there are enough Chrome requests flooding a website under attack, this could give webmasters some room to recover from a nasty DDoS attack."

3 of 86 comments (clear)

  1. Well... by The+MAZZTer · · Score: 4, Informative

    This is just to prevent ACCIDENTAL DoSing. You can turn it off with a command line switch, or simply use another browser or a dedicated DoSing tool.

  2. Re:pointless and frustrating by ses4j · · Score: 3, Informative

    Here is the chromium issue, which was quite trafficy:

    Issue 66062: ERR_TEMPORARILY_THROTTLED makes web development difficult

    http://code.google.com/p/chromium/issues/detail?id=66062

  3. Re:Just a small part of the problem by BitZtream · · Score: 4, Informative

    No, you don't use ICMP echo requests (and most other forms of ICMP), its too easy to filter upstream since it can safely be ruled out of the normal flow of traffic.

    While many ICMP packets are indeed useful and blocking ICMP in general is a really retarded thing that some less than clueful people like to do on firewalls (seen often here on slashdot) it will in general not screw proper traffic up too much if you block ICMP echo requests/replies upstream during a DDoS.

    If you want to do a proper DDoS, you have to make the traffic look like legitimate traffic so its indistinguishable from traffic the site actually wants so they can't easily block it.

    If you just try to ping -f me, I'll just call my upstream and tell them whats going on and ask them to drop it upstream to my address space until further notice.

    UDP dns queries are a good one to use as they can be spoofed and are pretty much impossible to block to a legitimate DNS server. TCP based connections like an HTTP request are more effective in the sense of the amount of traffic generated but are effectively unspoofable if you want to actually do more than a syn flood. If you can't spoof them then you become traceable and can be blocked since you're going to come from a specific address for each request, which can then be filtered, even if its a DDoS. Building a table of IPs to blackhole doesn't take long in most cases and can be pretty effective assuming your upstream firewalls/routers can handle the size of the blacklist, which may not be all that easy depending on the size and load of your upstream routers, but still far easier than dealing with a flood of legitimate looking UDP packets.

    I haven't seen an effective ping flood since 1998-99 on any thing but some little tiny sites that simply don't know what they are doing.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager