Distributed Denial of Service attacks work by having lots of Web clients access a particular Web site or service at the same time. Since each access looks like a genuine request for information the server cannot differentiate between the traffic which it was designed to serve and that which is intended
to distract it. It gets swamped.
It wouldn't be so bad if networking systems worked well at high capacity but, in general, they don't. The high level of traffic results in everything slowing down to a crawl and the server spending all of its time spitting out the same information to people who aren't even listening. They may have even spoofed their return address so that they don't get the traffic.
Distributed DDOS Prevention would involve using the infrastructure to handle such attacks. The system would work as a co-operation between servers and routers:
- Each server would communicate its maximum traffic level to its local router and would never get swamped.
- The router would analyse traffic patterns and would set limits to all its nearest neighbours.
- They, in turn, could do the same until the problem is spread out enough that none of the infrastructure is unduly taxed.
So, what happens to the extra traffic. Well, the simple solution would be to just drop it. This would still make the DDOS attck have some success since the dropped traffic would be a mix of genuine and malicious packets.
The more complex solution would be for the router itself to issue a challenge and response to detrmine that there is someone at the other end. It could supply the user with web page containing one of those images that contain a word obscured in an image so that a human can read it but it foxes an machine. When the person enters the word their IP address is remembered and the traffic passed with a higher priority.
Packets with faked source addresses wouldn't receive the challenge and packets auto-generated by some trojan on a vulnerable machine wouldn't be capable of proving the response. At enough hops away from the server to make the traffic managable, genuine attempts to access the server would be passed and malicious attempts to disrupt the server dropped.
It's not a complete solution, but might be another step in the arms race.-- st3f,
Apr 05 2004
DDOS information (general page o' links)
http://staff.washin...dittrich/misc/ddos/ [jutta, Oct 04 2004, last modified Oct 05 2004]
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms
http://lasr.cs.ucla...h_report_020018.pdfby Jelena Mirkovic, Janice Martin and Peter Reiher, UCLA Technical report #020018. A good place to start. [jutta, Oct 04 2004, last modified Oct 05 2004]
Using Graphic Turing Tests To Counter Automated DDoS Attacks Against Web Servers
http://www1.cs.colu...s/Papers/websos.pdfU Columbia Paper, CCS '03. [jutta, Oct 04 2004, last modified Oct 05 2004]
SOS - Secure Overlay Services
http://nsl.cs.columbia.edu/projects/sos/The general architecture that underlies their "WebSOS" is applicable to much more than just the web. [jutta, Oct 04 2004, last modified Oct 05 2004]
What you describe in your third paragraph is a topic of much work right now, commonly referred to as "Quality of Service" or QoS. Top of the line network switches and routers can enforce various QoS rules on packets to implement pretty much what you describe.-- krelnik,
Apr 05 2004
True, but I'm still holding out for someone to link to a white paper written in 199x telling me that this is all old hat.-- st3f,
Apr 05 2004
Pretty much. It's not like this isn't an active research topic, market, and subject of conferences, and you're sounding a little like someone who finally sits down to solve that transportation problem he's heard of once and for all. Hm. If we put something flat and round at the end of a stick, and then rotate it...
Mixing DDoS and CAPTCHAs is a bit too outlandish to have been proposed in earnest (let alone to be an "old hat"), but who knows. (Oh look, here's a paper from Angelos's group at U Columbia about that, albeit in the context of Web DDoS, not IP-level.)
Personally, I agree that DOS should have never been distributed in the first place.-- jutta,
Apr 05 2004
Jutta, you're a star. That third link is pretty much an exact fit to the idea. My only relief is that it was written this century.
Now, about that round thing on the end of a stick... I'm sure I can do something with that.-- st3f,
Apr 06 2004