[Tfug] (D)DoS countermeasures

Yan zardus at gmail.com
Wed May 15 12:20:51 MST 2013 

It depends on how much money you want to sink into it. For example, it
would be quite hard to DDOS Google or Facebook, as they have global CDNs
that will likely easily survive any such attack. If you're limited to one
uplink to the net, then you're probably quite vulnerable to an attack by
overwhelming traffic. My understanding is that in such an event, you'd have
to work with upstream providers to get the flow of traffic cut off.

One CDN that specifically incorporates DDOS protection is Cloudflare. They
basically set up as a proxy to your site (if the resource in question is a
site) and do DDOS mitigation, caching, etc. They handle the identification
and blocking of malicious traffic and so forth. My understanding is that
the requests that actually make it to you from Cloudflare would not include
these DDOS requests. The cost, of course, is the cost of the service and a
break in the end-to-end nature of the connection (ie, it now goes through
Cloudflare).

A recent trend we've been seeing in the lab is smart DOS attacks, where an
attacker will research your site to determine what actions will put the
most strain on your infrastructure. For example, there might be a complex
DB query that you can't cache or something. They'll then use that
explicitly to cripple your site with a much smaller amount of requests than
just fetching the index page, for example. Those are much trickier to
protect against.

- Yan


On Sun, May 12, 2013 at 7:54 PM, Bexley Hall <bexley401 at yahoo.com> wrote:

> On 5/12/2013 6:33 PM, Bexley Hall wrote:
>
>> Hi,
>>
>> To be clear, I can't protect against (D)DoS attacks anywhere
>> "upstream" of the first "smart" exposed interface. I.e.,
>> a router, bastion host, etc. -- something that can filter and
>> discard the offending traffic.
>>
>> And, regardless, I can do nothing to impact *incoming* bandwidth
>> upstream of that point. (I.e., if the link is saturated with
>> adversarial traffic, nothing *I* might want can get through...
>> including replies to outbound service requests!).
>>
>> Bottom line, all I can do is protect *within* this secured
>> portion of the network (?). And, push smarts out to the fringe
>> to keep the cruft from having *any* impact on internal operations.
>>
>
> <Grrrrr>
>
> Sorry, this was meant to be a QUESTION posed as a set of
> *assumptions*.  I.e., to be *confirmed* or *refuted* (as
> well as opening the door for other ideas that I may not
> be seeing)
>
>
> ______________________________**_________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/**listinfo/tfug_tfug.org<http://www.tfug.org/mailman/listinfo/tfug_tfug.org>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20130515/598473ef/attachment-0002.html>

More information about the tfug mailing list