[Tfug] (D)DoS countermeasures

[Bexley Hall]

Hi Yan,

On 5/15/2013 12:20 PM, Yan wrote:
> It depends on how much money you want to sink into it. For example, it
> would be quite hard to DDOS Google or Facebook, as they have global CDNs
> that will likely easily survive any such attack. If you're limited to one
> uplink to the net, then you're probably quite vulnerable to an attack by
> overwhelming traffic. My understanding is that in such an event, you'd have
> to work with upstream providers to get the flow of traffic cut off.

Yes.  That was my point that the outermost "smart" interface determines
your exposure to the threat.  E.g., if someone was physically connected
to your local subnet, you're screwed!  (i.e., you need a "smart
interface" between him and the portions of the network that you want
to protect from said atttack)

> One CDN that specifically incorporates DDOS protection is Cloudflare. They
> basically set up as a proxy to your site (if the resource in question is a
> site) and do DDOS mitigation, caching, etc. They handle the identification
> and blocking of malicious traffic and so forth. My understanding is that
> the requests that actually make it to you from Cloudflare would not include
> these DDOS requests. The cost, of course, is the cost of the service and a
> break in the end-to-end nature of the connection (ie, it now goes through
> Cloudflare).

Ah, OK.  But, folks wouldn't want (necessarily) to have to pay
for that (any) "service" unless they were actually subjected to
such attacks.

And, those attacks would essentially bottleneck *legitimate*
traffic at that choke point.

E.g., if you have a smart I/F protecting some portion of your
infrastructure, then everything *inside* is safe from DoS
attacks (assuming intruders are all *outside* that I/F) but
any legitimate traffic (originating from or *replying* to)
outside that I/F is vulnerable.  (e.g., if you contact a
service outside your protection domain, it's replies are
not guaranteed to reach you if that I/F is under attack...
"others" can consume all available bandwidth thereby blocking
the reply)

> A recent trend we've been seeing in the lab is smart DOS attacks, where an
> attacker will research your site to determine what actions will put the
> most strain on your infrastructure. For example, there might be a complex
> DB query that you can't cache or something.

Ah, makes sense.  E.g., requesting a large object via HTTP/FTP
is a bigger hit than GET-ing a tiny web page, etc.  Especially
as each such large object ties up resources for a lot longer
and allows the possibility of other such "loads" being placed
on your system.

> They'll then use that
> explicitly to cripple your site with a much smaller amount of requests than
> just fetching the index page, for example. Those are much trickier to
> protect against.

Understood.  In theory, there are no such "well known" services
exported.  OTOH, a DoS attack would still cripple the ability
to (e.g.) read your mail, access other web sites, etc.

[OTOOH, outbound traffic should be unaffected (except for protocol
overhead]

I see no way around this since anyone can access your particular IP
at any time, etc. even if you have a proxy service set up as a gateway.
<frown>

Thanks!
--don