Unfortunatly DDOS Attacks seem to be here to stay... There are a LOT of ways to bypass detection, one of them would be something to this effect... I wrote this to test something after reading the original post, this took 10 minutes, and it is a simple proof of case that there ARE ways around "Abnormal activity". What is attached is very very simple, its your basic syn flooder with large packets (8k per packet), each packet coming from a different ip address (spoofed), obtained from a spoof file, this spoof file is then reused x number of times as specified by the cycle parameter. Please note: I didnt write this to use myself, I wrote this to test something and as a proof of case, and believing in total disclosure security policies and freedom of information Ive decided to open the code to see if anyone can find a way around this type of thing. The thing with this code, is that it is virtually impossible to block, along with the actual DOS code is a thing called resetgen.c, that resetgen.c generates another 1000 spoofed ips, if each host were to cycle their spoof files once, run that, cycle again, in a loop, and you ran this from a number of hosts at a time, the only way to block the traffic would be to firewall out the port in question completely, because the packet type is of type syn, if you block syn, nothing can connect to the port in question. Basically, people who claim to be able to stop DDOS/trace DDOS/etc etc I believe are playing on the public, making money out of a situation that unfortunatly has no end in site, due to the fuckups made in the IP protocol by the department of defense when they released the RFC. Cheers Andrew Alston On Mon, 5 Feb 2001, Adam Back wrote:
This sounds like just a short term work-around, easily countered by the DoSers.
Rather than fix the problem, they propose to try to detect "unusual activity" and block the IPs. I'm not sure what "trace" means either -- identify IPs and hunt down the perpetrators?
It's predictable low tech approach to all net problems -- identify undesirable behavior, trace it, complain to ISPs, block it, form coallitions against the behavior with central clearing houses of people to block.
Ultimately you can't distinguish between DDoS and popular content. They're just pushing the DDoS crowd to the next obvious and easy level -- bypass their fingerprinting of unusual behavior. They can't counter-escalate much futher because they'll start getting into false positives and rejecting legitimate traffic.
Any robust long term solution to DDoS needs to defend against DDoS with Distributed Service. If content can be mirrored and cached reactively to traffic, mature versions of systems like FreeNet could be built to cope with DDoS. If requests are routed to local caches there is no longer a central server taking all the traffic, which is the basic problem these people are trying to kludge around.
They might want to look at Hash Cash and Client Puzzles for systems which can't be easily distributed (web apps with central database needing to be updated).
Adam
Roughly a year after cyber-terrorists paralyzed some of the Web's most trafficked sites, technology is finally emerging to stop such distributed denial-of-service attacks before they ever reach their target sites.
[...]
To combat such attacks on routers, a new company called Arbor Networks--funded by Cisco and Intel--this week will launch a managed availability service that aims to detect, trace and block DoS attacks.
http://update.internetweek.com/cgi-bin4/flo?y=eCNx0Bd6gU0V30DDqD