[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Dealing With Spoofed Floods and DDoS's With OpenBSD
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Dealing With Spoofed Floods and DDoS's With OpenBSD
- From: "Benjamin A. Collins" <bencollins_(_at_)_tamu_(_dot_)_edu>
- Date: Sun, 16 May 2004 21:19:23 -0500
- Cc: Mike Lewinski <mike_(_at_)_rockynet_(_dot_)_com>
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org, Mike Lewinski <mike_(_at_)_rockynet_(_dot_)_com>
On Thu, May 13, 2004 at 01:42:53PM -0600, Mike Lewinski wrote:
> Anthony de Almeida Lopes wrote:
> >Okay I've set up a little challenge for me. I'm trying to prevent
> >distributed denial of service attacks with OpenBSD's Packet Filter but
> >I'm not having very much luck.
> The only way to "prevent" DDoS is to unplug yourself from the 'net.
> A decent sized DDoS is going to run in the hundreds of thousands of
> packets per second and easily overwhelm your hardware. Your buffers
> will fill up, and most likely the WAN pipe will fill up also. You
> can drop packets as fast as you like, but if legit traffic can't get
> in or out, what difference does it make what pf is doing? 95% of
> DDoS attacks that I run into will easily fill up a T3, and many will
> take the better part of a GiG-E. This is with what are likely
> moderate sized botnets. The *only* solution to a pipe-filler is to
> call the upstream and ask them to filter on their side.
That's not necessarily true. While it is true that if the upstream
bandwidth is useless, legit traffic will still have a hard time, you
*can* do some things to protect your own hardware and still pass a
large portion of whatever legit traffic can get through, depending on
how the attack is implemented (i.e., SYN floods are pretty easy to
defend against in some cases).
> Unfortunately, most upstreams will do no more than null route the
> victim. In many cases, anything else is not practical. Spoofed
> attack sources that use packets to/from random ports with random
> flags is virtually impossible to filter on.
I'd say that's over-generalizing a bit. For example, if the attackers
were to go to the trouble to make source ports and spoofed IPs as
close to perfectly random (in a Shannon sense) as possible, it would
be pretty easy to distinguish that from valid request patterns, in
theory anyway. IMHO, there is a greater burder on the attackers to
make their attack undetectable than on the defenders to detect them.
> In the big picture, the solution to DDoS isn't better protection for
> the targets, but better security for the masses that prevent the
> large-scale formation of botnets.
True, but it's not going to happen anytime soon --- which is a whole
other debate. Coming up with techniques for defending targets is
still worth some effort.
| Benjamin A. Collins <bencollins_(_at_)_tamu_(_dot_)_edu> |
| http://people.cs.tamu.edu/bcollins/ |
[demime 0.98d removed an attachment of type application/pgp-signature]