nanog mailing list archives

Re: Over a decade of DDOS--any progress yet?

From: "Jonas Frey (Probe Networks)" <jf () probe-networks de>
Date: Mon, 06 Dec 2010 10:07:55 +0100

Besides having *alot* of bandwidth theres not really much you can do to
mitigate. Once you have the bandwidth you can filter (w/good hardware).
Even if you go for 802.3ba with 40/100 Gbps...you'll need alot of pipes.

Spoofed attacks have reduced significally probably because the use of
RPF. However we still see these from time to time.

TCP SYN attacks are still quite frequent...these can push alot of pps at
times.

The attack vectors have changed. Years ago people used hacked *nix boxes
with big pipes to start their attacks as only these had enough
bandwidth. Nowadays the consumers have alot more bandwidth and its
easier than ever to setup your own botnet by infecting users with
malware and alike. Even tho end users usually have less than 2mbps
upstream the pure amount of infected users makes it worse than ever.
Most of the time (depending on the attack) its also hard to
differentiate which IP addresse are attacking and which are legitimate
users. 

I do not see a real solution to this problem right now...theres not much
you can do about the unwilligness of users to keep their software/OS
up2date and deploy anti-virus/anti-malware software (and keep it
up2date).
Some approaches have been made like cutting of internet access for users
which have been identified by ISPs for beeing member of some
botnet/beeing infected.
This might be the only long-term solution to this probably. There is
just no patch for human stupidity.





Am Montag, den 06.12.2010, 02:50 -0500 schrieb Sean Donelan:

February 2000 weren't the first DDOS attacks, but the attacks on multiple 
well-known sites did raise DDOS' visibility.

What progress has been made during the last decade at stopping DDOS 
attacks?

SMURF attacks creating a DDOS from directed broadcast replies seems to 
have been mostly mitigated by changing defaults in major router OS's.

TCP SYN attacks creating a DDOS from leaving many half-open connections 
seems to have been mostly mitigated with SYN Cookies or similar OS 
changes.

Other than buying lots of bandwidth and scrubber boxes, have any other 
DDOS attack vectors been stopped or rendered useless during the last 
decade?

Spoofing?

Bots?

Protocol quirks?

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Over a decade of DDOS--any progress yet? Sean Donelan (Dec 05)
- Re: Over a decade of DDOS--any progress yet? Blake Dunlap (Dec 06)
- Re: Over a decade of DDOS--any progress yet? Jonas Frey (Probe Networks) (Dec 06)
  - Re: Over a decade of DDOS--any progress yet? Patrick W. Gilmore (Dec 06)
    - Re: Over a decade of DDOS--any progress yet? David Ulevitch (Dec 06)
    - Re: Over a decade of DDOS--any progress yet? Patrick W. Gilmore (Dec 06)
    - Re: Over a decade of DDOS--any progress yet? Sean Donelan (Dec 07)
    - Re: Over a decade of DDOS--any progress yet? Patrick W. Gilmore (Dec 07)
    - Re: Over a decade of DDOS--any progress yet? Paul Ferguson (Dec 07)
    - Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 07)
    - Re: Over a decade of DDOS--any progress yet? Adrian Chadd (Dec 07)
    - Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 07)
    - Re: Over a decade of DDOS--any progress yet? Adrian Chadd (Dec 07)

(Thread continues...)