Re: DDOS attacks

[David Farber <dave () farber net>]

Begin forwarded message:

From: Craig Partridge <craig () aland bbn com>
Date: August 9, 2009 6:37:02 PM EDT
To: dave () farber net
Cc: craig () aland bbn com
Cc: "Michael O'Dell" <mo () ccr org>
Subject: Re: [IP] DDOS attacks


> a fundamental problem with Denial of Service Attacks,
> and most other Internet "security" problems in general,
> is that they are "attacks" only in retrospect.
> In fact, a DDOS attack is indistinguishable from
> a success disaster (flash crowd, "slashdotted", etc)
> only after observing the event for a while and
> then imputing nefarious intent.
>
> Given that we have no way of imputing the intent
> of another human short of observing his actions
> in context, IN RETROSPECT, it's hard to imagine
> how one can examine packets in real-time and
> impute intent in any general-purpose fashion.

A note with a slightly different message from Mike's.

I've seen work that suggests we can distinguish DDOS attacks (in
some cases) from flash crowds, if only because DDOS attacks come
from fewer actual hosts.  Rather, some DDOS attacks use a modest
number of systems that pretend (through address spoofing) that
their packets come from a big set of hosts.

We can use spectral analysis to discover the small host set (cf.
work by Hussein and Heidemann at SIGCOMM 2003).

But spectral techniques don't use deep packet inspection or
notions of identity... (confirming much of Mike's point).

Thanks!

Craig




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com