Slashdot Mirror
Ask Slashdot: What Should We Do About the DDoS Problem?
An anonymous reader writes: Distributed denial of service attacks have become a big problem. The internet protocol is designed to treat unlimited amounts of unsolicited traffic identically to important traffic from real users. While it's true DDoS attacks can be made harder by fixing traffic amplification exploits (including botnets), and smarter service front ends, there really doesn't seem to be any long term solution in the works. Does anyone know of any plans to actually try and fix the problem?
https://tools.ietf.org/html/bcp38
DDoS attacks are only possible because of the ready availability of huge networks of compromised computers. Fix that, and the world becomes a better place.
Also, this peace on earth thing has been a while coming, you might want to take a look at that. too.
And flying cars.
It's supposed to be completely automatic, but actually you have to press this button.
Widespread adoption of the security flag should help quite a bit.
The internet protocol is designed to treat unlimited amounts of unsolicited traffic identically to important traffic from real users
It's a packet-switched network, so for anything else to be true, somebody along the line somewhere has to make that decision. But only you can make that decision when it hits your gear (and you could prioritize there, at your expense).
What the Internet lacks is a reliable social scheme for managing problems. One could imagine a guild of operators and paths of trust where a member could send a signed shutdown message through the network to known-offenders, putting his reputation on the line with every such action, per the review of the end-connection provider.
But network engineers tend to not want to socialize with each other or extend trust. Protecting the downside at the expense of the upside is a very common human foible - it kept our ancestors from being eaten.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Im a full-time computer science researcher and its not mentioned often, but the only real way to stop a DDoS is toET$)##515E@[NO CARRIER]
Good people go to bed earlier.
So I attended a local security talk a couple of months back and there I asked a security expert from my ISP (Telenor - Norway) if they blocked outgoing packets with source IP address differing from the real sender address.
"No" he said.
WTF? I am sure there is some legitimate reason for being able to send such a packet, but I can't think of any, and the contract should be amended to say "no spoofed source address unless agreed upon".
Sending spoof packets should make the ISP auto-throttle them if not just black-hole.
The ISP are already doing deep packet inspections to throttle traffic. Why don't they use dpi to monitor botnet attacks and filter those? Even if they do it like av and patch afterwards. You can limit older botnets at least
i thought once I was found, but it was only a dream.
It's the only way to be sure.
If I were an attacker looking to design the next generation of sophisticated DDoS attacks, the first thing I'd do is post a question to SlashDot asking about the next generation of defenses.
I've actually thought about this and come up with the following TCP extension:
Routers all maintain a reasonably sized set of source/destination/timer triplets. If a packet comes in from 'source' and is headed to 'destination', drop it. When 'timer' expires, drop that rule.
A special new "Add rule 'source,destination,timer'' packet is added, to be sent to a router. This causes the router to initiate a 3-way handshake with 'destination' to confirm that they requested the new rule, and if so, they add the rule to their table and set the expiration timer.
The idea is simple: If you're being DDoS'd, you don't have much bandwidth, but you always have bandwidth available between you and the first router, so you can always send them special packets telling the first hop router to drop all packets that you suppose are malicious, with a small timer so that you can renew it. After that's done, you should have eased the traffic enough to send more table-update packets to the second hop routers, and then to the third hop routers, and so on, until you've pushed the 'timed reject rule' right back up the traceroute chain until its at the source's doorstep and can go no further. At that point, not only are you free from the DDoS, the routers themselves no longer have to handle the traffic, either, as you've cut it off very near to the source.
The rule expiration timer makes it so that you need to actively maintain the rules or they'll disappear, and furthermore, it makes it so that when the DDoS stops, normal traffic can resume just fine. You can always 'peek' to see if the DDoS is ongoing by letting a few timers expire and watching to see if the malicious traffic is still coming through. If it is, update the rules and block it for some more time.
Almost. We need a way to tell upstream that we reject particular traffic, so don't send us any more of it. Getting a DDoS from X.X.X.X? Dear ISP, blackhole X.X.X.X for $TIME. ISPs should, in turn, do the same. It's complicated a bit because by nature a DDoS doesn't come from one IP, but many, and further IP spoofing, but I don't see how it can be fixed at the endpoint.
I work for a carrier. Together with companies like Arbor Networks, we already have systems in place that can mitigate most volumetric attacks, and many more intelligent attacks. Unfortunately, it's not cheap. Customers have to be willing to implement (and pay for) the protection services that most serious ISPs already offer as options on their IP traffic products. Keywords for your search are Pravail and PeakFlow.
Steve -- If you have to call it a system, you don't know what it is.
Any solution would violate net neutrality.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Wrong target. Hunt down and kill the people that run the botnets. Publicly. Grotesquely.
Indeed something along that line is what I think the Internet protocol needs. While IP is freely packet-switched and may appear stateless when you glance in the specs, TCP/IP routers and hosts are actually session-based internally and the number of concurrent sessions is limited.
I feel like this is a trap.
You have a creepily low user id. So much so that you probably were around for the beginnings of IP network as a mass-market communications mechanism.
However, I would suggest that your contention that TCP/IP routers (generically speaking) are session based is incorrect. Particularly, this is incorrect with respect to the vast majority of the core internet routing and Layer 3 switching infrastructure as employed by ISPs and carriers. In order to achieve the massive traffic scale that these devices handle, they mostly are stateless forwarders unconcerned with the higher level protocols above IP and unconcerned with maintaining session / state information on the traffic flows through the router/switch. This allows the hardware's specialized ASICs to forward the packets without having to retain any history of "sessions" or spend precious CPU time matching each packet to a session.
ET$)##515E@[NO CARRIER]
For the younger /. readers out there: this is an old joke that dates back to the days when we used to have to use actual telephone modems to connect to the Internet.
Noise on a phone line could produce garbage characters, and if you weren't using an error-correcting protocol the garbage could show up as if you had typed it. If you were using a "dumb terminal" directly with a modem, whatever the modem received would be printed. And, a modem might actually return the string [NO CARRIER] to your terminal when a connection dropped. (If you were using a computer and an Internet routing protocol like SLIP or PPP, the checksums would be unlikely to be correct in the face of the garbage. Neither the "line noise" garbage characters nor the [NO CARRIER] string would appear in that case.)
So, this joke implies a catastrophic event that first causes noise on the line and then disconnects the line. Now you know, and knowing is half the battle!
P.S. Any resemblance of the "line noise" string to Perl code is purely a coincidence.
The problem is that the Internet is Distributed, but websites are Centralized. The brilliant folks who designed the Internet accidently let morons design the web atop it. The way the web is currently hosted is a stupid idea, and that's the real problem: Storage is not decentralized.
The solution has been dubbed Disruption Tolerant Networking. There's no reason my neighbor shouldn't be pulling the cute cat video I linked them to from my own damn browser cache. When you think about it, caching services and co-location is a form of distributed data storage, so let's cut out the middle man and do this shit right: Every node needs to be a cache too, including the endpoints.
Essentially, to fix the problem you can just run HTTP over a distributed system like Bittorrent, but with better higherarchical caching to maintain locality where applicable. The more traffic, the more availability you get. Yes, you can leach, but in a properly system a ton of requests for the same resource
The problem is that if we do this then the NSA will not be able to spy on our traffic: There's no way to know that the resource I'm downloading is for me, it could be for my neighbor. You'd have to put snoopers between every single endpoint, at every switch. Currently they take data at places like Room 641A (which was around before 9/11, so the warrantless spying wasn't a response to that).
If the Internet gets a proper distributed data store system built atop it, then mesh networking will happen. The powers that be REALLY don't want that to happen, that's why the FCC is so strict about limiting packet radio's use. HAM radio folks have been using store and forward for decades, and that's basically what we need. Hint: A single RF antenna has a natural one-to-many broadcast property that a single CAT6 cable does not.
So, the answer is: YES, there is a solution, but NO you can not have it...yet. I've had nothing but some pretty scary blowback from my own attempts to fix this fucking obvious problem: Hurrr, let's put centralized data silohs atop a distributed network, Durr. Fucking idiots!
If we want to progress as a species and have nice things like DDoS free networks for off-planet colonies' Space Internet (DTN takes into account problems caused by lightspeed limitations) then we'll have to get over the fear of the populace being able to control its government and just roll out something like HTTP/BT.
There are things like Freenet, but they're not built for speed they're built for anonymity, which was a dumb move. If only they would have built that network for speed and had an anonymity option, then it would actually be worth a damn.
Treat it like cancer. If you can identify a single IP address, then the affected ISP should notify the ISP that owns the IP address to disable the connection of whatever computer was using it at the time. If the ISP refuses to comply in a timely manner then cut off all routing to and from that ISP network. Basically like what has been done to and from North Korea. And keep that network unreachable until a human negotiated settlement is reached. ISPs have the knowledge, resources and power to deal with botnets, that they would choose not to manage the problem effectively is a business decision and not a technical one.
Wrong answer. What can the carrier do to block the sending of DDoS, not keep up customers being DDoS'd? Customers participating in DDoS attacks should be disconnected. Anything else is negligence by the carriers. But ISPs make more money leaving them on and defending from attacks, rather than stopping the attacks. It's criminal, and should be treated as such.
Learn to love Alaska
Wrong answer. What can the carrier do to block the sending of DDoS, not keep up customers being DDoS'd? Customers participating in DDoS attacks should be disconnected. Anything else is negligence by the carriers. But ISPs make more money leaving them on and defending from attacks, rather than stopping the attacks. It's criminal, and should be treated as such.
If only it were as easy. DDoS attacks come from botnets. Botnets don't come from somewhere, they come from *everywhere*. If they played the "cut off the offenders" game they would need one hell of a huge IP-level blacklist, or they would cut off literally every link they had since compromised hosts are everywhere. If you are going to say "just force the end ISP to disconnect them" then again it's amazingly complicated since an ISP in Georgia (the country) isn't going to listen to some twat in the UK or US complain about a certain group of hosts that are participating in a DDoS, just like ISPs in those countries wouldn't listen to some ahole in Georgia complain about a DDoS host since he might just want to take it offline for political reasons and there isn't nearly enough international cooperation to keep up good relationships between all the concerned parties. Moving up a tier, there is too much good traffic coming from any given ISP to simply write it off as blocking the whole thing.
If you want to find the source, you need to find the profit center. This stuff isn't being done for free. A real investigation will lead to a place that most people will find most unappealing.
And jail? Please! This fetish with imprisonment needs to stop.
And we don't want ISPs filtering anything. It only provides pretext for filtering everything. They are supposed to be a dumb pipe. Let the end points do the filtering.
“He’s not deformed, he’s just drunk!”
And they are not going to. A sizable percentage of an ISPs customers have some kind of bot on it. Since almost everyone these days has a NAT router if one computer out of ten has a bot on it, the entire network goes down. Customers get pissed. Bills don't get paid. Long arguments with tech support over who's problem it is. Some of these bots are wireless clients that move around too.
Or, they can do what they are doing now and neglect the problem. My money is on the continued neglect except in the worst of cases.
Most contracts will allow termination of service for malicious activity.
Learn to love Alaska
I have worked for 5 ISPs in the past 15 years. Every one of them had DPI. They all expect laws like this and have things in place for when they do. Sure, the backbone providers with no consumer connections don't bother, but (almost) every ISP that sells consumer connections does have them today. The expense is $0.
It's very economical.
Learn to love Alaska
A compromised system that is operating without the knowledge of its owner does not constitute malicious activity. Malicious activity, by its very definition, is intentional.
So the Botnet owner isn't doing anything malicious when they perform a DDoS? Again, I think your logic is contrived and quite stupid, trying to defend negligent users who are financing attacks.
I said that the DDoS is malicious activity, and the connection is linked to that, and thus can be shut down. You are disagreeing. That makes you dumb or a liar. Which is it?
It amazes me how many people defend compromised computers and those performing DDoSs.
Learn to love Alaska
I think that's exactly why it's necessary. Most ISPs take very little notice of an obviously infected customer's machine, unless of course it's trying to pour its spam through their SMTP server. Then they immediately get their panties in a twist and pull your plug until you clean up your machine.
The difference here of course being who is the victim. You or me? Not gonna bother. US? Red Alert Ban Hammer Time!
So, your upstream pulling (or threatening to pull) your plug is precisely what's needed to motivate those ISPs. Some are lazy. Most are just too cheap to invest in fixing the problem and would rather bank the dollars than spend them to fix "someone else's problem". Make it their problem. Light a fire under their seat and watch them redirect a processes they already have in place, to fix the problem.
I work for the Department of Redundancy Department.
It occurs to me that reading comprehension may not be your strong suit. I have yet to see a single comment here that defends compromised computers or DDoS.
You said that the connection participating in a DDoS isn't engaged in a malicious activity. I count that as defense of the compromised computers.The issue of malicious intent has nothing whatsoever to do with the botnet operator and everything to do with the owner of the compromised computer(s)/network.
Ah, it's you who can't read. I said "malicious activity" not "malicious intent" The computer is doing something malicious, even if the user didn't explicitly perform the act.
That said, there ARE ramifications of simply turning off the tap that are not so simply dealt with as you seem to wish were the case. Were it so easy and legally simple, it already would not be an issue, IMO.
It's already a violation of ToS, so shut them off. If that's a problem, change a law to make it no longer a problem.
Learn to love Alaska
This is getting to become a circular argument, and I'm in no mood to argue. I cannot be more clear: One cannot simply 'pull the plug' on a network that provides service without opening up a complex can of legal worms. There's absolutely _zero_ doubt that DDoS activity is malicious by nature and intent by the botnet operator. There's absolutely _zero_ doubt that pulling the plug would help mitigate the damage to systems on the receiving end of attacks from such compromised systems/network. The fundamental problem, however, is that one does not merrily obstruct a business's capacity to DO business without incurring legal ramifications (dependent upon the jurisdiction in which the service is being hosted/operated).
It is what it is, Mark. It's a simple problem with a veritable rat's nest of legal implications to solve.
Happy New Year to you, sire. :)
Yep. Canada has some weird rules. For example, if you have servers in a rack and the feds want to do a search and seizure a la US style, not gonna happen. If the servers are essential for the running of your business, the most the feds can do is to copy all the relevant data. They can't actually seize the servers lest it causes your business damage.
It's actually a pretty good law in that it respects the ideal of innocent until proven guilty beyond reasonable doubt. In other countries, they can just take your crap and if you go out of business because of it - even if you're totally innocent - well, that's just tough luck, innit?