Slashdot Mirror
Ask Slashdot: What Should We Do About the DDoS Problem?
An anonymous reader writes: Distributed denial of service attacks have become a big problem. The internet protocol is designed to treat unlimited amounts of unsolicited traffic identically to important traffic from real users. While it's true DDoS attacks can be made harder by fixing traffic amplification exploits (including botnets), and smarter service front ends, there really doesn't seem to be any long term solution in the works. Does anyone know of any plans to actually try and fix the problem?
https://tools.ietf.org/html/bcp38
DDoS attacks are only possible because of the ready availability of huge networks of compromised computers. Fix that, and the world becomes a better place.
Also, this peace on earth thing has been a while coming, you might want to take a look at that. too.
And flying cars.
It's supposed to be completely automatic, but actually you have to press this button.
Widespread adoption of the security flag should help quite a bit.
The internet protocol is designed to treat unlimited amounts of unsolicited traffic identically to important traffic from real users
It's a packet-switched network, so for anything else to be true, somebody along the line somewhere has to make that decision. But only you can make that decision when it hits your gear (and you could prioritize there, at your expense).
What the Internet lacks is a reliable social scheme for managing problems. One could imagine a guild of operators and paths of trust where a member could send a signed shutdown message through the network to known-offenders, putting his reputation on the line with every such action, per the review of the end-connection provider.
But network engineers tend to not want to socialize with each other or extend trust. Protecting the downside at the expense of the upside is a very common human foible - it kept our ancestors from being eaten.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Im a full-time computer science researcher and its not mentioned often, but the only real way to stop a DDoS is toET$)##515E@[NO CARRIER]
Good people go to bed earlier.
So I attended a local security talk a couple of months back and there I asked a security expert from my ISP (Telenor - Norway) if they blocked outgoing packets with source IP address differing from the real sender address.
"No" he said.
WTF? I am sure there is some legitimate reason for being able to send such a packet, but I can't think of any, and the contract should be amended to say "no spoofed source address unless agreed upon".
Sending spoof packets should make the ISP auto-throttle them if not just black-hole.
The ISP are already doing deep packet inspections to throttle traffic. Why don't they use dpi to monitor botnet attacks and filter those? Even if they do it like av and patch afterwards. You can limit older botnets at least
i thought once I was found, but it was only a dream.
If I were an attacker looking to design the next generation of sophisticated DDoS attacks, the first thing I'd do is post a question to SlashDot asking about the next generation of defenses.
I've actually thought about this and come up with the following TCP extension:
Routers all maintain a reasonably sized set of source/destination/timer triplets. If a packet comes in from 'source' and is headed to 'destination', drop it. When 'timer' expires, drop that rule.
A special new "Add rule 'source,destination,timer'' packet is added, to be sent to a router. This causes the router to initiate a 3-way handshake with 'destination' to confirm that they requested the new rule, and if so, they add the rule to their table and set the expiration timer.
The idea is simple: If you're being DDoS'd, you don't have much bandwidth, but you always have bandwidth available between you and the first router, so you can always send them special packets telling the first hop router to drop all packets that you suppose are malicious, with a small timer so that you can renew it. After that's done, you should have eased the traffic enough to send more table-update packets to the second hop routers, and then to the third hop routers, and so on, until you've pushed the 'timed reject rule' right back up the traceroute chain until its at the source's doorstep and can go no further. At that point, not only are you free from the DDoS, the routers themselves no longer have to handle the traffic, either, as you've cut it off very near to the source.
The rule expiration timer makes it so that you need to actively maintain the rules or they'll disappear, and furthermore, it makes it so that when the DDoS stops, normal traffic can resume just fine. You can always 'peek' to see if the DDoS is ongoing by letting a few timers expire and watching to see if the malicious traffic is still coming through. If it is, update the rules and block it for some more time.
I work for a carrier. Together with companies like Arbor Networks, we already have systems in place that can mitigate most volumetric attacks, and many more intelligent attacks. Unfortunately, it's not cheap. Customers have to be willing to implement (and pay for) the protection services that most serious ISPs already offer as options on their IP traffic products. Keywords for your search are Pravail and PeakFlow.
Steve -- If you have to call it a system, you don't know what it is.
ET$)##515E@[NO CARRIER]
For the younger /. readers out there: this is an old joke that dates back to the days when we used to have to use actual telephone modems to connect to the Internet.
Noise on a phone line could produce garbage characters, and if you weren't using an error-correcting protocol the garbage could show up as if you had typed it. If you were using a "dumb terminal" directly with a modem, whatever the modem received would be printed. And, a modem might actually return the string [NO CARRIER] to your terminal when a connection dropped. (If you were using a computer and an Internet routing protocol like SLIP or PPP, the checksums would be unlikely to be correct in the face of the garbage. Neither the "line noise" garbage characters nor the [NO CARRIER] string would appear in that case.)
So, this joke implies a catastrophic event that first causes noise on the line and then disconnects the line. Now you know, and knowing is half the battle!
P.S. Any resemblance of the "line noise" string to Perl code is purely a coincidence.
The problem is that the Internet is Distributed, but websites are Centralized. The brilliant folks who designed the Internet accidently let morons design the web atop it. The way the web is currently hosted is a stupid idea, and that's the real problem: Storage is not decentralized.
The solution has been dubbed Disruption Tolerant Networking. There's no reason my neighbor shouldn't be pulling the cute cat video I linked them to from my own damn browser cache. When you think about it, caching services and co-location is a form of distributed data storage, so let's cut out the middle man and do this shit right: Every node needs to be a cache too, including the endpoints.
Essentially, to fix the problem you can just run HTTP over a distributed system like Bittorrent, but with better higherarchical caching to maintain locality where applicable. The more traffic, the more availability you get. Yes, you can leach, but in a properly system a ton of requests for the same resource
The problem is that if we do this then the NSA will not be able to spy on our traffic: There's no way to know that the resource I'm downloading is for me, it could be for my neighbor. You'd have to put snoopers between every single endpoint, at every switch. Currently they take data at places like Room 641A (which was around before 9/11, so the warrantless spying wasn't a response to that).
If the Internet gets a proper distributed data store system built atop it, then mesh networking will happen. The powers that be REALLY don't want that to happen, that's why the FCC is so strict about limiting packet radio's use. HAM radio folks have been using store and forward for decades, and that's basically what we need. Hint: A single RF antenna has a natural one-to-many broadcast property that a single CAT6 cable does not.
So, the answer is: YES, there is a solution, but NO you can not have it...yet. I've had nothing but some pretty scary blowback from my own attempts to fix this fucking obvious problem: Hurrr, let's put centralized data silohs atop a distributed network, Durr. Fucking idiots!
If we want to progress as a species and have nice things like DDoS free networks for off-planet colonies' Space Internet (DTN takes into account problems caused by lightspeed limitations) then we'll have to get over the fear of the populace being able to control its government and just roll out something like HTTP/BT.
There are things like Freenet, but they're not built for speed they're built for anonymity, which was a dumb move. If only they would have built that network for speed and had an anonymity option, then it would actually be worth a damn.
Wrong answer. What can the carrier do to block the sending of DDoS, not keep up customers being DDoS'd? Customers participating in DDoS attacks should be disconnected. Anything else is negligence by the carriers. But ISPs make more money leaving them on and defending from attacks, rather than stopping the attacks. It's criminal, and should be treated as such.
Learn to love Alaska
Wrong answer. What can the carrier do to block the sending of DDoS, not keep up customers being DDoS'd? Customers participating in DDoS attacks should be disconnected. Anything else is negligence by the carriers. But ISPs make more money leaving them on and defending from attacks, rather than stopping the attacks. It's criminal, and should be treated as such.
If only it were as easy. DDoS attacks come from botnets. Botnets don't come from somewhere, they come from *everywhere*. If they played the "cut off the offenders" game they would need one hell of a huge IP-level blacklist, or they would cut off literally every link they had since compromised hosts are everywhere. If you are going to say "just force the end ISP to disconnect them" then again it's amazingly complicated since an ISP in Georgia (the country) isn't going to listen to some twat in the UK or US complain about a certain group of hosts that are participating in a DDoS, just like ISPs in those countries wouldn't listen to some ahole in Georgia complain about a DDoS host since he might just want to take it offline for political reasons and there isn't nearly enough international cooperation to keep up good relationships between all the concerned parties. Moving up a tier, there is too much good traffic coming from any given ISP to simply write it off as blocking the whole thing.
If you want to find the source, you need to find the profit center. This stuff isn't being done for free. A real investigation will lead to a place that most people will find most unappealing.
And jail? Please! This fetish with imprisonment needs to stop.
And we don't want ISPs filtering anything. It only provides pretext for filtering everything. They are supposed to be a dumb pipe. Let the end points do the filtering.
“He’s not deformed, he’s just drunk!”