OBESEUS - A new type of DDOS protector

Guillaume FORTAINE gfortaine at live.com
Mon Mar 15 20:59:44 CDT 2010


Dear Mister Morrow,

Thank you for your reply.

To quote :

"The advantage/disadvantage of 100,000+ host drone armies is that they 
don't actually *have* to flood you, per se. 10 pps (or less) each and 
you are going to crush almost everything without raising any alarms 
based on statistically significant patterns especially based on IPs. 
Fully/properly formed HTTP port 80 requests to "/" won't set of any 
alarms since each host is opening 1 or 2 connections and sending 
keepalives after that. If you forcibly close the connection, it can wait 
5 seconds or 15 minutes before it reopens, it doesn't really care. 
Anything that hits you faster than that is certainly obnoxious, but MUCH 
easier to address simply because they are being boring. "



 From my point of view, it seems similar to the EDoS concept :

http://www.rationalsurvivability.com/blog/?s=EDos

"EDoS attacks, however, are death by a thousand cuts. EDoS can also 
utilize distributed attack sources as well as single entities, but works 
by making legitimate web requests at volumes that may appear to be 
“normal” but are done so to drive compute, network, and storage utility 
billings in a cloud model abnormally high."


Best Regards,

Guillaume FORTAINE


On 03/16/2010 02:47 AM, Christopher Morrow wrote:
> On Mon, Mar 15, 2010 at 9:44 PM, Guillaume FORTAINE<gfortaine at live.com>  wrote:
>    
>> Dear Mister Jain,
>>
>> Thank you for your reply.
>>
>> You are speaking about EDoS (Economic Denial of Sustainability). Please see
>> the following article :
>>
>> http://www.rationalsurvivability.com/blog/?s=EDos
>>
>> Consider a new take on an old problem based on ecommerce: Click-fraud. I
>>      
> actually deepak was just saying that if you diffuse the botnet enough
> you don't have to send more traffic from individual nodes than would
> be normally expected. In total they swamp the end service
> (potentially). There wasn't any discussion of clickfraud in his note.
>
>    





More information about the NANOG mailing list