Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome Feature Helps Shield Websites From DDoS Attacks

Posted by Soulskill on from the anti-slashdotting dept.

An anonymous reader writes "Google has an interesting idea on how to take the edge off denial of service attacks. The latest developer builds of Chrome 12 have an option called 'http throttling,' which will simply deny a user access to a website once the browser has received error messages from the URL. Chrome will react with a 'back-off interval' that will increase the time between requests to the website. If there are enough Chrome requests flooding a website under attack, this could give webmasters some room to recover from a nasty DDoS attack."

21 of 86 comments (clear)

  1. Well... by The+MAZZTer · · Score: 4, Informative

    This is just to prevent ACCIDENTAL DoSing. You can turn it off with a command line switch, or simply use another browser or a dedicated DoSing tool.

    1. Re:Well... by icebike · · Score: 5, Insightful

      At best it might help with slashdotted sites.

      It does nothing for those sites under a true DOS attack, other than denying legitimate requests to that the DOS attack can continue unimpeded without those pesky legitimate requests sneaking through.

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:Well... by alta · · Score: 2

      He's right... originally there was no way to turn it off until web developers bitched, me included, about how it's slowing down development. The problem was, as a developer i may reload a page often, or make a tweak, reload, etc. Waiting for this to clear was a bitch, so they put in the command line switch for us.

      You'd be surprised when tweaking code or css how often you reload a page.

      --
      Do not meddle in the affairs of sysadmins, for they are subtle, and quick to anger.
    3. Re:Well... by postbigbang · · Score: 2

      It's meaningless. Browsers don't really participate in DDoS attacks; the attacks come from software that uses DNS reflection techniques to saturate TCP and other socket connections until load balancers fail, the servers are saturated, and everything has to time-out.

      Protections really don't involve browser back-offs, they relate to parsing source address data, then filtering those out so genuine traffic gets through, rather than traffic that saturates the sockets.

      --
      ---- Teach Peace. It's Cheaper Than War.
  2. Who DDoSes with a browser? by gman003 · · Score: 4, Insightful

    Since dedicated DDoS programs like LOIC are readily available, nobody performs actual DDoS attacks with a browser. Hell, ping floods are more effective than a bunch of people pressing refresh too often.

    Now, this might reduce the Slashdot Effect, but not a DDoS.

    1. Re:Who DDoSes with a browser? by h4rr4r · · Score: 4, Interesting

      Judging by the amount of sites slashdot still manages to take down I disagree. Lots of unintentional DDoS still happening these days.

  3. "Don't Be Evil" Redux by dmmiller2k · · Score: 2

    Finally, some positive news about Google. Let's see how they muck it up now.

    --

    "No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin

    1. Re:"Don't Be Evil" Redux by blair1q · · Score: 2

      The web server is way too high up the stack, and having it do the work is how the DDoS wants to hamstring you anyway.

      I was thinking that it should be distributed.

      See, in order to block incoming traffic, you have to accept the connection at the lower layers so you can decode it to determine that it's from the offending IP address. DoS long ago devolved to just doing SYN floods, since it's impossible to stop a SYN because you don't look at its contents before it's tied up your hardware almost as much as it can. A few thousand of those per second and you're not doing any business with anyone.

      So you tell your router block(src, dest). But that just makes your router the bottleneck. You need to push it out to all the routers that feed your router, and so on.

      And you need to do it for all the src addresses.

      So, in a world where all routers can handle blocks of this sort, the blocks propagate outward to the nodes and it's their routers blocking any traffic to your dest address, and the D in DDoS is no longer a problem.

  4. Just a small part of the problem by Drakkenmensch · · Score: 2

    Do botnets even use browser attacks anymore? I was under the impression that most of these attacks were done with direct PING requests.

    1. Re:Just a small part of the problem by BitZtream · · Score: 4, Informative

      No, you don't use ICMP echo requests (and most other forms of ICMP), its too easy to filter upstream since it can safely be ruled out of the normal flow of traffic.

      While many ICMP packets are indeed useful and blocking ICMP in general is a really retarded thing that some less than clueful people like to do on firewalls (seen often here on slashdot) it will in general not screw proper traffic up too much if you block ICMP echo requests/replies upstream during a DDoS.

      If you want to do a proper DDoS, you have to make the traffic look like legitimate traffic so its indistinguishable from traffic the site actually wants so they can't easily block it.

      If you just try to ping -f me, I'll just call my upstream and tell them whats going on and ask them to drop it upstream to my address space until further notice.

      UDP dns queries are a good one to use as they can be spoofed and are pretty much impossible to block to a legitimate DNS server. TCP based connections like an HTTP request are more effective in the sense of the amount of traffic generated but are effectively unspoofable if you want to actually do more than a syn flood. If you can't spoof them then you become traceable and can be blocked since you're going to come from a specific address for each request, which can then be filtered, even if its a DDoS. Building a table of IPs to blackhole doesn't take long in most cases and can be pretty effective assuming your upstream firewalls/routers can handle the size of the blacklist, which may not be all that easy depending on the size and load of your upstream routers, but still far easier than dealing with a flood of legitimate looking UDP packets.

      I haven't seen an effective ping flood since 1998-99 on any thing but some little tiny sites that simply don't know what they are doing.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  5. As a Haxx0r, this worries me by gazbo · · Score: 4, Funny
    When I launch DDoS attacks, I always VNC into my 300,000 zombies, load Chrome, and type the target's address into the URL bar of each one. This new feature will cripple me :(((((((

    On an unrelated note, I must remember to buy a replacement for my worn-out F5 key.

    1. Re:As a Haxx0r, this worries me by h4rr4r · · Score: 2

      Do what I do, once F5 wears out map it to other F-keys. That way you can use up all 12 of them before you have to get another keyboard.

    2. Re:As a Haxx0r, this worries me by nedlohs · · Score: 3, Funny

      But how will I view the help?

  6. Re:WTF? by $RANDOMLUSER · · Score: 2

    What are you talking about? I always do my DDos attacks by repeatedly clicking the "reload" button on my browser. You never know when those GIFs in the browser cache are going to change.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  7. This is similar to what I do. by blair1q · · Score: 5, Insightful

    I have an interesting way to stop muggers. I just don't mug anyone.

    Wait...

  8. So, when someone nuclear bombs a website... by webbiedave · · Score: 4, Funny

    ... Chrome promises to throw less stones?

  9. Re:Great idea, but by Corse32 · · Score: 2

    When you're trying to fix a 500 error caused by a script? Are you already getting this problem? I hadn't noticed anything when testing with Chrome...

  10. Re:pointless and frustrating by ses4j · · Score: 3, Informative

    Here is the chromium issue, which was quite trafficy:

    Issue 66062: ERR_TEMPORARILY_THROTTLED makes web development difficult

    http://code.google.com/p/chromium/issues/detail?id=66062

  11. !Woot by metiscus · · Score: 2

    This is going to make it that much harder to get a bag of crap off of woot.

  12. Re:DOS maybe, but won't help for DDOS by sorak · · Score: 2

    Many people run Chrome, right? It might not make much of a difference if a small percentage of a website's users are running Chrome but I wouldn't be surprised to see the other major browsers implement something similar.

    I was thinking something similar. If Google could somehow convince Joe Sixpack that Firefox and IE are missing some valuable DDoS protection feature, then it would eventually be added to other browsers.

  13. This Common Sense Idea... by Nom+du+Keyboard · · Score: 2

    This common sense idea brought to you by someone who runs a popular website and builds a browser.

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."