Ask Slashdot: What Should We Do About the DDoS Problem?

An anonymous reader writes: Distributed denial of service attacks have become a big problem. The internet protocol is designed to treat unlimited amounts of unsolicited traffic identically to important traffic from real users. While it's true DDoS attacks can be made harder by fixing traffic amplification exploits (including botnets), and smarter service front ends, there really doesn't seem to be any long term solution in the works. Does anyone know of any plans to actually try and fix the problem?

Re:you need to kill the botnets

[kdub007]

You can only kill the malware that is behind these DDoS's by completely eliminating security flaws in software. That is not reasonable to expect. Hell, even the NCC-1701-D (Starship Enterprise) got viruses. If they can't even fix this problem by the 24th century, I don't see how we can expect to fix it now. As long as there are people looking for exploits, the problem will exist.

ISP idiocy

[NorthWay]

So I attended a local security talk a couple of months back and there I asked a security expert from my ISP (Telenor - Norway) if they blocked outgoing packets with source IP address differing from the real sender address.

"No" he said.

WTF? I am sure there is some legitimate reason for being able to send such a packet, but I can't think of any, and the contract should be amended to say "no spoofed source address unless agreed upon".
Sending spoof packets should make the ISP auto-throttle them if not just black-hole.

Here's One Idea:

[sea4ever]

I've actually thought about this and come up with the following TCP extension:

Routers all maintain a reasonably sized set of source/destination/timer triplets. If a packet comes in from 'source' and is headed to 'destination', drop it. When 'timer' expires, drop that rule.

A special new "Add rule 'source,destination,timer'' packet is added, to be sent to a router. This causes the router to initiate a 3-way handshake with 'destination' to confirm that they requested the new rule, and if so, they add the rule to their table and set the expiration timer.

The idea is simple: If you're being DDoS'd, you don't have much bandwidth, but you always have bandwidth available between you and the first router, so you can always send them special packets telling the first hop router to drop all packets that you suppose are malicious, with a small timer so that you can renew it. After that's done, you should have eased the traffic enough to send more table-update packets to the second hop routers, and then to the third hop routers, and so on, until you've pushed the 'timed reject rule' right back up the traceroute chain until its at the source's doorstep and can go no further. At that point, not only are you free from the DDoS, the routers themselves no longer have to handle the traffic, either, as you've cut it off very near to the source.

The rule expiration timer makes it so that you need to actively maintain the rules or they'll disappear, and furthermore, it makes it so that when the DDoS stops, normal traffic can resume just fine. You can always 'peek' to see if the DDoS is ongoing by letting a few timers expire and watching to see if the malicious traffic is still coming through. If it is, update the rules and block it for some more time.

Re:Carriers

[jeffmeden]

Wrong answer. What can the carrier do to block the sending of DDoS, not keep up customers being DDoS'd? Customers participating in DDoS attacks should be disconnected. Anything else is negligence by the carriers. But ISPs make more money leaving them on and defending from attacks, rather than stopping the attacks. It's criminal, and should be treated as such.

If only it were as easy. DDoS attacks come from botnets. Botnets don't come from somewhere, they come from *everywhere*. If they played the "cut off the offenders" game they would need one hell of a huge IP-level blacklist, or they would cut off literally every link they had since compromised hosts are everywhere. If you are going to say "just force the end ISP to disconnect them" then again it's amazingly complicated since an ISP in Georgia (the country) isn't going to listen to some twat in the UK or US complain about a certain group of hosts that are participating in a DDoS, just like ISPs in those countries wouldn't listen to some ahole in Georgia complain about a DDoS host since he might just want to take it offline for political reasons and there isn't nearly enough international cooperation to keep up good relationships between all the concerned parties. Moving up a tier, there is too much good traffic coming from any given ISP to simply write it off as blocking the whole thing.