Ask Slashdot: What Should We Do About the DDoS Problem?

An anonymous reader writes: Distributed denial of service attacks have become a big problem. The internet protocol is designed to treat unlimited amounts of unsolicited traffic identically to important traffic from real users. While it's true DDoS attacks can be made harder by fixing traffic amplification exploits (including botnets), and smarter service front ends, there really doesn't seem to be any long term solution in the works. Does anyone know of any plans to actually try and fix the problem?

BCP38

[falzbro]

https://tools.ietf.org/html/bcp38

Re:BCP38

[Zocalo]

If I read the GP's post correctly they were not suggesting that the backbone ISPs implement BCP38, but that they don't peer with edge ISPs that don't implement it.

The place to implement BCP38 is definitely as close the edge of the network as possible, long before it gets near the core of an ISP's network, let alone starts hitting up their BGP peers; ideally on the CPE, but failing that on the first capable router on the ISP's network. Why more So-Ho routers don't implement at least partial BCP38 by default has always baffled me; they usually have *one* network, seldom more than two, and often just a single IP on the LAN side, with the entire rest of the internet is on the other - how hard can it be to correctly block spoofed packets by default? That still leaves networks with their own IP allocation that are multi-homing with multiple upstream ISPs, but if someone is that big/technically inclined then they ought to be able to implement BCP38 themselves (I do this at my SoHo), work with their ISPs to sort out the config on their upstream routers, or just man up, do their own BGP and effectively act as an ISP.

Re:Carriers

[lavaboy]

I work for a carrier. Together with companies like Arbor Networks, we already have systems in place that can mitigate most volumetric attacks, and many more intelligent attacks. Unfortunately, it's not cheap. Customers have to be willing to implement (and pay for) the protection services that most serious ISPs already offer as options on their IP traffic products. Keywords for your search are Pravail and PeakFlow.

The "NO CARRIER" joke

ET$)##515E@[NO CARRIER]

For the younger /. readers out there: this is an old joke that dates back to the days when we used to have to use actual telephone modems to connect to the Internet.

Noise on a phone line could produce garbage characters, and if you weren't using an error-correcting protocol the garbage could show up as if you had typed it. If you were using a "dumb terminal" directly with a modem, whatever the modem received would be printed. And, a modem might actually return the string [NO CARRIER] to your terminal when a connection dropped. (If you were using a computer and an Internet routing protocol like SLIP or PPP, the checksums would be unlikely to be correct in the face of the garbage. Neither the "line noise" garbage characters nor the [NO CARRIER] string would appear in that case.)

So, this joke implies a catastrophic event that first causes noise on the line and then disconnects the line. Now you know, and knowing is half the battle!

P.S. Any resemblance of the "line noise" string to Perl code is purely a coincidence.

Re:Here's One Idea:

[m.dillon]

Unfortunately all this will accomplish is that you will lock yourself out of legitimate sites, because a lot of the DDOSing out there uses spoofed IP addresses. So now all the DDOSer has to do is spoof, say, google.com's primary IPs and you lock yourself out of google when you block the IPs.

Until network providers start validating source IPs from their non-transit customers and require their transit customers to validate source IPs for non-transit packets, there's basically no solution that will work.

-Matt