[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] DDOS attacks
Begin forwarded message: From: Christian Huitema <huitema@microsoft.com> Date: August 10, 2009 12:26:40 PM EDT To: "dave@farber.net" <dave@farber.net>, ip <ip@v2.listbox.com> Subject: RE: [IP] DDOS attacks
From: "Michael O'Dell" <mo@ccr.org> Date: August 9, 2009 2:54:16 PM EDT To: dave@farber.net Subject: DDOS attacks a fundamental problem with Denial of Service Attacks, and most other Internet "security" problems in general, is that they are "attacks" only in retrospect. In fact, a DDOS attack is indistinguishable from a success disaster (flash crowd, "slashdotted", etc) only after observing the event for a while and then imputing nefarious intent.
Mike is correct, but only partially. The "perfect' DDOS attack would be indistinguishable from a sudden rise in a site popularity, but actual attacks only approximate normal traffic. The old attacks were gross estimates, e.g. SYN attack that would only attempt partial connections, or programmed loops in which the same attacker would repeat the same request at short intervals. The defense strategy then is to understand the patterns of traffic, distinguish abnormal traffic, and slow it down. For example, an IP address that sources too many repeated request might be temporarily blacklisted, and connection requests might be processed in a separate queue. Major web sites have learned to use this kind of defense, and are able to "repel" most attacks. The fact that Twitter did not is either a statement about the cunningness of that particular attack, or a statement about the engineering quality of the Twitter server farm.
-- Christian Huitema -------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC