nanog mailing list archives
RE: OBESEUS - A new type of DDOS protector
From: Deepak Jain <deepak () ai net>
Date: Mon, 15 Mar 2010 13:04:41 -0400
At first blush, I would say it's an interesting idea but won't actually resolve anything of the scariest DDOS attacks we've seen. (Unless I've missed something obvious about your doodle). The advantage/disadvantage of 100,000+ host drone armies is that they don't actually *have* to flood you, per se. 10 pps (or less) each and you are going to crush almost everything without raising any alarms based on statistically significant patterns especially based on IPs. Fully/properly formed HTTP port 80 requests to "/" won't set of any alarms since each host is opening 1 or 2 connections and sending keepalives after that. If you forcibly close the connection, it can wait 5 seconds or 15 minutes before it reopens, it doesn't really care. Anything that hits you faster than that is certainly obnoxious, but MUCH easier to address simply because they are being boring. You *can* punt those requests that are all identical to caches/proxies/IDS/Arbor/what have you and give higher priority to requests that show some differences from them... but you are still mostly at the mercy of serving them unless you *can* learn something about the originator/flow/pattern -- which might get you into a state problem. Where this might work is if you are a large network that only serves one sort of customer and you'd rather block rogue behavior than serve it (at the risk of upsetting your 1% type customers). This would work for that. Probably good at stomping torrents and other things as well. Best, Deepak
-----Original Message----- From: Guillaume FORTAINE [mailto:gfortaine () live com] Sent: Monday, March 15, 2010 2:57 AM To: nanog () nanog org Subject: Re: OBESEUS - A new type of DDOS protector Dear Mister Wyble, Thank you for your reply. On 03/15/2010 07:00 AM, Charles N Wyble wrote:The paper is pretty high level, and the software doesn't appear to be available for download.http://www.loud-fat-bloke.co.uk/obeseus.html http://www.loud-fat-bloke.co.uk/tools/obeseusvB.tar.gzSo it's kinda theoretical."We have it running parallel with a commercial product and it detects the following attacks ▪ SYN floods ▪ RST floods ▪ ICMP floods ▪ General UDP floods ▪ General TCP floods" Best Regards, Guillaume FORTAINE
Current thread:
- OBESEUS - A new type of DDOS protector Guillaume FORTAINE (Mar 12)
- Re: OBESEUS - A new type of DDOS protector Guillaume FORTAINE (Mar 14)
- Re: OBESEUS - A new type of DDOS protector Charles N Wyble (Mar 14)
- Re: OBESEUS - A new type of DDOS protector Guillaume FORTAINE (Mar 14)
- RE: OBESEUS - A new type of DDOS protector Deepak Jain (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Guillaume FORTAINE (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Christopher Morrow (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Guillaume FORTAINE (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Suresh Ramasubramanian (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Christopher Morrow (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Suresh Ramasubramanian (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Guillaume FORTAINE (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Nathan Ward (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Dobbins, Roland (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Guillaume FORTAINE (Mar 15)
- Re: OBESEUS - A new type of DDOS protector Charles N Wyble (Mar 14)
- Re: OBESEUS - A new type of DDOS protector Guillaume FORTAINE (Mar 14)