Re: Over a decade of DDOS--any progress yet?

[Arturo Servin <arturo.servin () gmail com>]

        And those are much more complex to detect than SYN attacks or simple flood attacks with ICMP.

        But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those 
that exists require a complex coordination with upstreams.

Cheers,
.as

On 8 Dec 2010, at 13:39, Jeffrey Lyon wrote:

> We have seen a recent trend of attackers "legitimately" purchasing
> servers to use for attacks. They'll setup a front company, attempt to
> make the traffic look legitimate, and then launch attacks from their
> "legitimate" botnet.
>
> Jeff
>
> On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin <arturo.servin () gmail com> wrote:
> > On 8 Dec 2010, at 13:12, nanog-request () nanog org wrote:
> >
> > > Date: Wed, 8 Dec 2010 12:53:51 +0000
> > > From: "Dobbins, Roland" <rdobbins () arbor net>
> > > Subject: Re: Over a decade of DDOS--any progress yet?
> > > To: North American Operators' Group <nanog () nanog org>
> > > Message-ID: <BF571AD7-1122-407B-B7FA-77B9BBAC48F7 () arbor net>
> > > Content-Type: text/plain; charset="us-ascii"
> > >
> > >
> > > On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
> > >
> > > >      One big problem (IMHO) of DDoS is that sources (the host of botnets) may be completely unaware that they are 
> > > > part of a DDoS. I do not mean the bot machine, I mean the ISP connecting those.
> > >
> > > The technology exists to detect and classify this attack traffic, and is deployed in production networks today.
> >
> >        Yes, they do exist. But, is people really filtering out attacks or just watching the attacks going out?
> >
> >
> > > And of course, the legitimate owners of the botted hosts are generally unaware that their machine is being used for 
> > > nefarious purposes.
> > >
> > > >      In the other hand the target of a DDoS cannot do anything to stop to attack besides adding more BW or 
> > > > contacting one by one the whole path of providers to try to minimize the effect.
> > >
> > > Actually, there're lots of things they can do.
> >
> >        Yes, but all of them rely on your upstreams or in mirroring your content. If 100 Mbps are reaching your input 
> > interface of 10Mbps there is not much that you can do.
> >
> > > >      I know that this has many security concerns, but would it be good a signalling protocol between ISPs to 
> > > > inform the sources of a DDoS attack in order to take semiautomatic actions to rate-limit the traffic as close as 
> > > > the source? Of course that this is more complex that these three or two lines, but I wonder if this has been 
> > > > considerer in the past.
> > >
> > > It already exists.
> >
> >        If you have an URL would be good. I only found a few research papers on the topic and RSVP documents but 
> > nothing really concrete.
> >
> > Regards,
> > -as
>
>
>
> -- 
> Jeffrey Lyon, Leadership Team
> jeffrey.lyon () blacklotus net | http://www.blacklotus.net
> Black Lotus Communications - AS32421
> First and Leading in DDoS Protection Solutions