"Paul D. Robertson" wrote: > On Thu, 24 Feb 2000, Crispin Cowan wrote: > > > Long-term there are plenty of ways to protect from DDoS attacks, and some > > > of them will even work. It's the short- to mid-term that's the problem. > > > However, I still think that trying to call network scanners akin > > > to munitions when VCL isn't is lopsided. Then again, I think the idiot > > > who put a programming language into a word processor should be shot. > > > > What long term methods would those be? I have yet to hear a convincing proposal I'll pick on these piece-wise, to see if we can reduce to a convincing solution. > Out-of-band control channels, This doesn't defend against DDoS attacks that are data requests instead of control packets. > end-to-end QoS, Also won't stop attackers from flooding your pipe with requests. In fact, it may make it worse, as the attackers could spoof data requests that result in QoS bandwidth allocations to spoofed clients, further choking the server's bandwidth. QoS will have to be carefully tied to authentication, or else it just makes DDoS much worse. > traffic flow-based routing/flood control protocols, I don't think I understand this proposal. > authenticated gatewaying and/or redirection, authenticated routing, All the authentication schemes have two problems: * you need a global PKI that works for everyone, which is, er, problematic :-) * it does not stop an attacker from flooding a machine with packets that fail authentication. Authenicated routing moves the probelm up-stream, which only helps somewhat > slow-start egress routing, This needs to be globally deployed to be effective. It is more or less equivalent to saying "secure all Internet nodes", because the attacker could compromise an inside node, and use it to change the egress filtering policy. > upstream artificial clocking, I don't understand this proposal. So of the proposed solutions, I see some that won't work, some that will mitigate the solution but not solve it, and some that I don't understand (my bad). I have not yet seen a complete solution that I understand. The "I don't understand" ones are largely lack of familiarity; I haven't read the proposals that Paul is referring to. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:04 PDT