IW: Tools Stunt DoS Attacks
Adam Back
adam at cypherspace.org
Mon Feb 5 19:45:20 PST 2001
This sounds like just a short term work-around, easily countered by
the DoSers.
Rather than fix the problem, they propose to try to detect "unusual
activity" and block the IPs. I'm not sure what "trace" means either
-- identify IPs and hunt down the perpetrators?
It's predictable low tech approach to all net problems -- identify
undesirable behavior, trace it, complain to ISPs, block it, form
coallitions against the behavior with central clearing houses of
people to block.
Ultimately you can't distinguish between DDoS and popular content.
They're just pushing the DDoS crowd to the next obvious and easy level
-- bypass their fingerprinting of unusual behavior. They can't
counter-escalate much futher because they'll start getting into false
positives and rejecting legitimate traffic.
Any robust long term solution to DDoS needs to defend against DDoS
with Distributed Service. If content can be mirrored and cached
reactively to traffic, mature versions of systems like FreeNet could
be built to cope with DDoS. If requests are routed to local caches
there is no longer a central server taking all the traffic, which is
the basic problem these people are trying to kludge around.
They might want to look at Hash Cash and Client Puzzles for systems
which can't be easily distributed (web apps with central database
needing to be updated).
Adam
> Roughly a year after cyber-terrorists paralyzed some of the Web's
> most trafficked sites, technology is finally emerging to stop such
> distributed denial-of-service attacks before they ever reach their
> target sites.
>
> [...]
>
> To combat such attacks on routers, a new company called Arbor
> Networks--funded by Cisco and Intel--this week will launch a managed
> availability service that aims to detect, trace and block DoS
> attacks.
>
> http://update.internetweek.com/cgi-bin4/flo?y=eCNx0Bd6gU0V30DDqD
More information about the cypherpunks-legacy
mailing list