[Tfug] (D)DoS countermeasures

[Yan]

> Ah, makes sense.  E.g., requesting a large object via HTTP/FTP
> is a bigger hit than GET-ing a tiny web page, etc.  Especially
> as each such large object ties up resources for a lot longer
> and allows the possibility of other such "loads" being placed
> on your system.
>

It goes a bit deeper than that, even. With a modern web app architecture, a
big static file would likely be cached, and the server used for that could
probably withstand a decent amount of abuse. It's not really doing anything
to send you that big file other than disk IO, and if it's got an SSD
(gasp!) or enough RAM to cache the whole file and an HTTP daemon tailored
for static content, I'd imagine it could serve a lot of clients before
buckling.

You could still bring it down with enough load, but that's kind of a
lamer's game: the attacker exerts as many resources as the defender does.
That's ok if you have a big network of bots (like the Spamhaus attack), but
such attacks are very high profile and risky.

On the other hand, if you want to take down (for example) a forum and know
(maybe from timing analysis) that their subforum search is not cached or
not indexed or something, you'd have a much smaller number of bots do
subforum searches over and over. Each hit takes a small GET request ("GET
/search?subforum=blah&query=foo", just a few dozen bytes plus TCP overhead)
but might cause the DB server to do a table scan and the app server to keep
the connection open and waiting. You could take down the site with a much
smaller army of bots (and MUCH less bandwidth) than what'd be required if
you were just pulling files.

Understood.  In theory, there are no such "well known" services
> exported.  OTOH, a DoS attack would still cripple the ability
> to (e.g.) read your mail, access other web sites, etc.
>

I think we're talking about two different scenarios. I mostly see DDOSes in
the context of web site operators and such, where the employees reading
their mail would probably not be a concern (and where it might not be
feasible to saturate the network link). I've heard of DDOSes to residential
connections, but not often. There was some (possibly theoretical?) mention
of cybercrime gangs DDOSing people (both with a network DDOS and by
flooding their phones with phone calls, the latter of which can be easily
done by puppeteering a bunch of Skype accounts) after stealing their
banking credentials so that the victims couldn't call their bank to lock
things down. I'm not sure how frequently such individual-level DDOSes
happen, though.

- Yan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20130515/9b82143a/attachment-0002.html>