Interesting People mailing list archives
Re: DDOS attacks
From: David Farber <dave () farber net>
Date: Sun, 9 Aug 2009 20:23:38 -0400
Begin forwarded message: From: Craig Partridge <craig () aland bbn com> Date: August 9, 2009 6:37:02 PM EDT To: dave () farber net Cc: craig () aland bbn com Cc: "Michael O'Dell" <mo () ccr org> Subject: Re: [IP] DDOS attacks
a fundamental problem with Denial of Service Attacks, and most other Internet "security" problems in general, is that they are "attacks" only in retrospect. In fact, a DDOS attack is indistinguishable from a success disaster (flash crowd, "slashdotted", etc) only after observing the event for a while and then imputing nefarious intent. Given that we have no way of imputing the intent of another human short of observing his actions in context, IN RETROSPECT, it's hard to imagine how one can examine packets in real-time and impute intent in any general-purpose fashion.
A note with a slightly different message from Mike's. I've seen work that suggests we can distinguish DDOS attacks (in some cases) from flash crowds, if only because DDOS attacks come from fewer actual hosts. Rather, some DDOS attacks use a modest number of systems that pretend (through address spoofing) that their packets come from a big set of hosts. We can use spectral analysis to discover the small host set (cf. work by Hussein and Heidemann at SIGCOMM 2003). But spectral techniques don't use deep packet inspection or notions of identity... (confirming much of Mike's point). Thanks! Craig ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- DDOS attacks David Farber (Aug 09)
- <Possible follow-ups>
- Re: DDOS attacks David Farber (Aug 09)
- DDOS attacks David Farber (Aug 10)