nanog mailing list archives
Re: Over a decade of DDOS--any progress yet?
From: James Hess <mysidia () gmail com>
Date: Wed, 8 Dec 2010 00:21:11 -0600
On Mon, Dec 6, 2010 at 1:50 AM, Sean Donelan <sean () donelan com> wrote:
February 2000 weren't the first DDOS attacks, but the attacks on multiple Other than buying lots of bandwidth and scrubber boxes, have any other DDOS attack vectors been stopped or rendered useless during the last decade?
Very little, no, and no. Not counting occasional application bugs that are quickly fixed. Even TCP weaknesses that can facilitate attack are still present in the protocol. New vectors and variations of those old vectors emerged since the 1990s. So there is an increase in the number of attack vectors to be concerned about, not a reduction. SYN and Smurf are Swords and spears after someone came up with atomic weaponry. The atomic weaponry named "bot net". Which is why there is less concern about the former types of single-real-origin-spoofed-source attacks. Botnet-based DDoS is just "Smurf" where amplification nodes are obtained by system compromise, instead of router misconfiguration, and a minor variation on the theme where the chain reaction is not started by sending spoofed ICMP ECHOs. Since 2005 there are new beasts such as "Slowloris" and "DNS Reflection". DNS Reflection attacks are a more direct successor to smurf; true smurf broadcast amplification points are rare today, diminishing returns for the attacker, trying to find the 5 or 6 misconfigured gateways out there, but that doesn't diminish the vector of spoofed small request large response attacks. Open DNS servers are everywhere. SYN attacks traditionally come from a small number of sources and rely on spoofing to attack limitations on available number of connection slots for success. New vectors that became most well-known in the late 90s utilize botnets, and an attacker can make full connections therefore requiring zero spoofing, negating the benefit of SYN cookies. In other words, SYN floods got supplanted by TCP_Connect floods. -- -JH
Current thread:
- Re: Over a decade of DDOS--any progress yet?, (continued)
- Re: Over a decade of DDOS--any progress yet? Paul Ferguson (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Adrian Chadd (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 07)
- Re: Over a decade of DDOS--any progress yet? Adrian Chadd (Dec 07)
- Re: Over a decade of DDOS--any progress yet? bmanning (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Thomas Mangin (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Dobbins, Roland (Dec 08)
- Re: Over a decade of DDOS--any progress yet? JC Dill (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Jack Bates (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Seth Mattinen (Dec 08)
- Re: Over a decade of DDOS--any progress yet? Curtis Maurand (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Greg Whynott (Dec 09)
- Re: Over a decade of DDOS--any progress yet? Simon Leinen (Dec 11)