How to game the system (was Re: What does 95th %tile mean?)

• Previous message (by thread): How to game the system (was Re: What does 95th %tile mean?)
• Next message (by thread): Government?s CERT plans to sell early warnings on Web threat s
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 20, 2001 at 01:11:14PM -0400, Greg A. Woods wrote:
>
> The difference with most DDoS attacks is that they have one or a very
> few "targets" (i.e. one host, or one subnet which equals one port on a
> router, etc.).  Those types of DDoS attacks are damaging to everyone's
> perception of how a network is performing because they present a
> radically unbalanced flow, or small set of flows, against the normal
> traffic distribution.  The result is that lots of little connections get
> pushed aside, and too many packets over all get dropped.  Obviously the
> DDoS attacker doesn't really care if all his data gets through -- he's
> more than happy to have it mostly all end up in the bit bucket just so
> long as he's causing other flows to end up there too.  In the real world

Actually, making it to the target is precisely the point of a DDoS. If an
attacker fires off a single machine's 100Mbit worth of attack, it's more
likely to kill a single ds3 peer somewhere along the way then to make it
to the target (and in the process piss off all the people who were trying
to use that link, but not necessarily the people trying to use the target,
the exact opposite of their goals). If on the other hand, the attacker
fires off 100 1Mbit syn floods from diverse network locations, it's more
likely to a) go unnoticed by 99 of those source sites, b) reach the target
or as close to the target's last bottleneck as possible, and c) only
affect the victim and not the intermediate networks in between.

> a paying customer will be using TCP or some such protocol which will
> flow control itself if there's not enough available capacity to run at
> full speed (or heaven forbid if there's loss that can't be avoided by
> flow control).  So, no matter how big my pipe, and how many or few TCP
> connections I try to push/pull through it, I cannot create a burst that
> will affect other customers in any long-term significant fashion,
> especially if all the other customers also have the same size pipe.

That is absolutily not the case. You may have no problem self-regulating a
few TCP sessions ftp'ing some files while ssh'ing on a 10Mbit network, but
when you have many thousands or hundreds of thousands of TCP flows on an
internet backbone, the link will quickly suffer from the combined
window-probing and packet loss backoffs effects of all those flows. Don't
forget all that web traffic with all the flow start and stops, and the
humans clicking refresh which is not self regulating at all... The
internet does not behave like a linksys hub-based network...

Having more flows is sortof like having a TCP which doesn't back off quite
as easily (for those of you running an open source operating system, go
see what happens if you tune some of the retransmit settings so you aren't
quite as friendly as everyone else)... DDoS doesn't back off either... :P
The only way you can compete under these conditions is if you have a
transport protocol which doesn't take packet loss for an answer, and you
are willing to have a bandwidth free-for-all (obviously this is
completely self destructive when applied to the internet)...

> Who sets up what?!?!?!?  Show me a real-world example of how somone can
> cause distruptive peaks of normal traffic and not get billed for them,
> and also not end up paying more than they would have paid if they'd
> simply played fairly.  Alex Pilsov's example scenario is about the only

See my previous email regarding monthly backups... It's not that uncommon
among ecommerce people with multiple locations...

> Maybe the industry will eventually find that 95 is a bad number and it
> really has to be 96, or even 98.  All I know is that if you're selling
> ethernet, or even high-speed SDSL, you cannot fairly bill at the 100'th
> percentile of peak bandwidth usage.  Any user stupid enough to sign a
> deal based on 100'th percentile peak bandwidth usage (when buying a pipe
> much fatter than they require) is probably getting taken to the cleaners
> and obviously doesn't understand now data moves on the Internet.

This is really a backwards scheme. If you use 20Mbit for 90% of the time,
and then you use 80Mbit because you are slashdotted for 3 days or
something, your maximium rate is still 80Mbit... You've already paid for
27 days * 60Mbps = 17.5TB of unsent data outbound, and 30 days * 80Mbps =
26TB of unreceived data inbound.

It has an advantage for the provider of motivating the customer not to
burst their traffic (and thus making their network more predictable), but
if you are in the business to encourage your customers NOT to use the
internet then what is the point.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)

• Previous message (by thread): How to game the system (was Re: What does 95th %tile mean?)
• Next message (by thread): Government?s CERT plans to sell early warnings on Web threat s
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]