DDOS attacks

[David Farber <dave () farber net>]

Begin forwarded message:

From: Christian Huitema <huitema () microsoft com>
Date: August 10, 2009 12:26:40 PM EDT
To: "dave () farber net" <dave () farber net>, ip <ip () v2 listbox com>
Subject: RE: [IP] DDOS attacks

> From: "Michael O'Dell" <mo () ccr org>
> Date: August 9, 2009 2:54:16 PM EDT
> To: dave () farber net
> Subject: DDOS attacks
>
> a fundamental problem with Denial of Service Attacks,
> and most other Internet "security" problems in general,
> is that they are "attacks" only in retrospect.
> In fact, a DDOS attack is indistinguishable from
> a success disaster (flash crowd, "slashdotted", etc)
> only after observing the event for a while and
> then imputing nefarious intent.

Mike is correct, but only partially. The "perfect' DDOS attack would  
be indistinguishable from a sudden rise in a site popularity, but  
actual attacks only approximate normal traffic. The old attacks were  
gross estimates, e.g. SYN attack that would only attempt partial  
connections, or programmed loops in which the same attacker would  
repeat the same request at short intervals. The defense strategy then  
is to understand the patterns of traffic, distinguish abnormal  
traffic, and slow it down. For example, an IP address that sources too  
many repeated request might be temporarily blacklisted, and connection  
requests might be processed in a separate queue. Major web sites have  
learned to use this kind of defense, and are able to "repel" most  
attacks. The fact that Twitter did not is either a statement about the  
cunningness of that particular attack, or a statement about the  
engineering quality of the Twitter server farm.

-- Christian Huitema






-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com