Over a decade of DDOS--any progress yet?

James Hess mysidia at gmail.com
Wed Dec 8 06:21:11 UTC 2010


On Mon, Dec 6, 2010 at 1:50 AM, Sean Donelan <sean at donelan.com> wrote:

> February 2000 weren't the first DDOS attacks, but the attacks on multiple
> Other than buying lots of bandwidth and scrubber boxes, have any other DDOS
> attack vectors been stopped or rendered useless during the last decade?

Very little,  no, and no.
Not counting occasional application bugs that are quickly fixed.
Even TCP weaknesses that can facilitate attack are still present in
the protocol.

New vectors and variations of those old vectors emerged since the 1990s.
So there is an increase in the number of attack vectors to be
concerned about, not a reduction.

SYN and Smurf are Swords and spears after someone came up with atomic weaponry.
The atomic weaponry named "bot net". Which is why there is less
concern about the former
types of  single-real-origin-spoofed-source attacks.


Botnet-based DDoS is just "Smurf"  where amplification nodes are
obtained by system compromise,
instead of router misconfiguration,  and a minor variation on the
theme where the chain
reaction is not started by sending spoofed ICMP ECHOs.

Since 2005 there are new beasts such as "Slowloris" and "DNS Reflection".
DNS Reflection attacks are a more direct successor to smurf;  true
smurf broadcast
amplification points are rare today,  diminishing returns for the
attacker, trying to find
the 5 or 6 misconfigured gateways out there, but that doesn't   diminish
the vector of spoofed  small request large response attacks.

Open DNS servers are everywhere.

SYN attacks traditionally come from a small number of sources and rely
on spoofing
to attack limitations on available number of connection slots for success.

New vectors that became most well-known in the late 90s utilize
botnets, and an attacker
can make full connections therefore requiring zero spoofing, negating
the benefit of SYN cookies.

In other words, SYN floods got supplanted by TCP_Connect  floods.



-- 
-JH




More information about the NANOG mailing list