Ask Slashdot: What Should We Do About the DDoS Problem?

An anonymous reader writes: Distributed denial of service attacks have become a big problem. The internet protocol is designed to treat unlimited amounts of unsolicited traffic identically to important traffic from real users. While it's true DDoS attacks can be made harder by fixing traffic amplification exploits (including botnets), and smarter service front ends, there really doesn't seem to be any long term solution in the works. Does anyone know of any plans to actually try and fix the problem?

you need to kill the botnets

[new+death+barbie]

DDoS attacks are only possible because of the ready availability of huge networks of compromised computers. Fix that, and the world becomes a better place.

Also, this peace on earth thing has been a while coming, you might want to take a look at that. too.

And flying cars.

Re:you need to kill the botnets

You can only kill the malware that is behind these DDoS's by completely eliminating security flaws in software.

Tricking a user into running an application, like so many of the web popups do, does not exploit a security flaw.

Social Problem

[bill_mcgonigle]

The internet protocol is designed to treat unlimited amounts of unsolicited traffic identically to important traffic from real users

It's a packet-switched network, so for anything else to be true, somebody along the line somewhere has to make that decision. But only you can make that decision when it hits your gear (and you could prioritize there, at your expense).

What the Internet lacks is a reliable social scheme for managing problems. One could imagine a guild of operators and paths of trust where a member could send a signed shutdown message through the network to known-offenders, putting his reputation on the line with every such action, per the review of the end-connection provider.

But network engineers tend to not want to socialize with each other or extend trust. Protecting the downside at the expense of the upside is a very common human foible - it kept our ancestors from being eaten.

Re:BCP38

[PlainWhiteTrash]

BCP38 is a fantastic idea. Being in a position in which I serve as a consultant to many indie-ISPs' network administrators on a frequent basis, I strongly encourage sane enforcement of source IP data at ingress-toward-the-ISP from customer-facing links. Many of my clients implement this. The trouble is, it doesn't help with many modern DDoS's. It certainly helps with the common traffic-amplification attack types, but many distributed bot-net based attacks now directly the target service by impersonation of legitimate client implementations. This will do nothing for those. The server side will see the many thousands or more of IPs that are attacking them, and see them correctly, but the trouble is, there are way too many to manage and they look like legit clients. Complicating things, it's likely that many of the infected machines ARE also LEGIT customers / clients. Implementing BCP38 is and will remain a good thing. But as DDoS strategies evolve, and upload speeds on consumer links increase in terms of throughput, this strategy not be a long term solution to many categories of DDoS.

Re:Carriers

[AK+Marc]

Wrong answer. What can the carrier do to block the sending of DDoS, not keep up customers being DDoS'd? Customers participating in DDoS attacks should be disconnected. Anything else is negligence by the carriers. But ISPs make more money leaving them on and defending from attacks, rather than stopping the attacks. It's criminal, and should be treated as such.

Laws, yeah, right

[billstewart]

Too many lawmakers are doing well to understand that the Internet is a Series of Tubes with cat pictures and pirated music on it, and too many of the ones who have some technical clue understand it deeply enough to make meaningful, implementable laws. Remember the CAN-SPAM law a few years ago, that was going to save us from spam? We can't even get the NSA to find Rachel from Cardholder Services.

Nobody in the comments you're replying to was defending the people launching DDOS attacks from their PC. A DDOS attack is a Distributed Denial of Service; typically it has thousands or millions of infected machines each doing a bit of the attack, and you're not going to detect them all without doing Deep Packet Inspection on all the traffic, which isn't economically or technically feasible and would cause huge political controversy if it were.