/g/ - Technology

install openbsd

[Make a Post]
[X]





DDoS attacks and DDoS mitigation Nanonymous No.7254 [D][U][F][S][L][A][C] >>7286 >>7367
File: b74f37ce07fad3a16810a36c0c3666629a404dcd6b7b41ab659f8c8c00f19875.jpg (dl) (94.01 KiB)
Hi everyone.

Let's talk about DDoS attacks and mitigation, primarily for Web sites.

Say, my knowledge about those mostly stops with the SYN flood attack. The attacker, most probably through a botnet, creates a gazillion half-open TCP connections to a webserver (HTTP uses TCP, DUH), probably spoofs IP (I dunno about that actually), whatever.
I feel like at some point, regardless of the server configuration, it's going to stop serving if not for OS TCP structure place being filled up, then because of bandwidth being used up for DDoS. So, it is a nasty attack overall.

So, the question is basically what can the owner do at all? I heard people even do redirects of DDoS, basically hiding the server behind proxies, is this the best option? Keep in mind the worst case scenario of maybe several gigabits coming our way.

Thanks for your interest.

Nanonymous No.7255 [D] >>7257 >>7367
It's the internet relay's responsibility for not mindlessly allowing ip spoofing and sending of SYN commands without receiving SYNACK. You could set up a hidden site where most of the initiation is done with other servers before connecting to the server.

Nanonymous No.7257 [D][U][F] >>7283
File: 682ee8e7bf0e5b9e39bcf651f336886e703621044d047029dc322f1e98155262.jpg (dl) (176.84 KiB)
>>7255
>You could set up a hidden site where most of the initiation is done with other servers before connecting to the server.
Exactly.
Now, I'm curious if this is the strongest and the most reliable counter. Also this brings another question: what if those proxies get DDoSed themselves? I mean, it's less likely if there's many of them and we can balance the load, but is it possible? What the fuck? Why is Internet so spooky?

Nanonymous No.7282 [D] >>7367
So, the question is basically what can the owner do at all?
Use a firewall to block syn flooding.
The best type of DDOS is a layer 7 DDoS because you can possibly crash the server with a single packet. Else you can spam an endpoint that requires a lot of processing power to waste.

Nanonymous No.7283 [D]
>>7257
Tor hidden sites have their own problems with DDoS. Supposed to be fixed at some point, and they are part way there.
I think there are two problems that permit normieweb DDoS. One is ISPs allowing their clients to dump packets with forged source addresses on the internet. The other is ICMP Source Quench got deprecated. It should be brought back in v2.0 form so the next upstream device with a state table that sees it on the way back starts dropping 50% of packets from src to dst IP. Those devices could also generate source quenches for the next upstream hop with a state table if they are getting overloaded. Repeated ICMP packets would increase 50% each time, with some timeout.

Nanonymous No.7286 [D] >>7287 >>7384
>>7254
A DoS attack refers to any trick that allows you to bring down a server. A DDos is a particular method of executing a DoS, involving sending more requests than the server is capable of serving. There exists a number of amplification attacks, which are in between plain DoS and DDos, where each request causes the server to do lots of work, and in aggregate they bring down the server. This is why sakamoto hides certain pages behind captchas.

But there still exists the wholly general DDoS. An example of this is that one of the chinese social media websites (Weibo or something) had a <script> tag on their page that linked to a particular github repo. The mass of chinese people loading the relevant page amounted to a DDoS against github. This required no special request forging by the chinks, just a simple embed lead to a DDoS. Therefore, the only complete solution to a DDoS attack is to have massive amounts of bandwidth, and servers that can handle the load, so that you can serve all the illegitimate requests.

For every website to have lying around spare bandwidth that they will seldom use, except when they are being attacked, is a great waste. So here's where cloudflare comes in. They provide this bandwidth for a number of sites. When any one of them is attacked, cloudflare provides spare bandwidth to protect it. Similarly, these networks for distributed file sharing - IPFS, zeronet, etc - in principle perform the same task as cloudflare here. In practice this relies on enough people, with enough spare bandwidth, pinning a given file to actually work, which I doubt ever happens. You would also need a way to place captchas around actual server access, which I doubt they provide. But this provides a model for how you might go about providing distributed DDoS protection.

hentai@home is probably a better model, in that they have a proper R-W http server, whith the major read portion distributed. The biggest issue with them is that a person has to explicitly opt in to being a hentai@home node, whereas we're interested in protecting a bunch of sites simultaneously.

I think what you would do is this: you would have a bunch of friendly sites, like different imageboards and wikis and so on. Each of these sites would get together and agree to host a copy of the other sites. Then you'd automatically redistribute requests from one site to the others when it gets DDoSed. We might call this a "friend network". The more friends you have in your network, the more protection you have against DDoSes. Your friends would probably not need to be all that trusted either: all downloads would be signed with your site's private key, so they couldn't forge requests. And clients would keep retrying on different servers until they found one that worked, so a small number of fake friends couldn't block your site.

Nanonymous No.7287 [D]
>>7286
>There exists a number of amplification attacks, which are in between plain DoS and DDos, where each request causes the server to do lots of work, and in aggregate they bring down the server.
No, a DDoS amplification attack is when you DDoS a bunch of different sites and those sites end up causing DDoS for the target site. In this type of attack the size of you your requests to the different sites need to be smaller than the size of their responses. It's called an amplification attack because you are spending a smaller amount of bandwidth then the target is receiving.

Nanonymous No.7367 [D] >>7384
>>7254
>half open connections
it doesn't fucking matter. fuck your techno mumbo jumbo. there are 10 million different ways to do a DoS attack. as long as the server isn't completely retarded (e.g doing quadratic amount of work the client does), then DDoS is needed.
DDoS is trivially solved by content-addressable networks. Such as Freenet. But if you want to use your """""""""""""""comfy""""""""""""""" web browser, the way to solve DDoS is for the hoster to invest more money into hosting his own shit. BTW this is why the web does not work.
>>7255
doesn't matter. they can simply make only compliant requests from their 1 million botnet hosts
>>7282
>Use a firewall to block syn flooding.
no that's not a thing. just fucking stop. you can't "shut off" DDoS.

Nanonymous No.7384 [D] >>7391
>>7286
>For every website to have lying around spare bandwidth that they will seldom use, except when they are being attacked, is a great waste. So here's where cloudflare comes in. They provide this bandwidth for a number of sites. When any one of them is attacked, cloudflare provides spare bandwidth to protect it.
I don't understand why jewish CIA cloudflare man-in-the-middle is necessary for this
websites are hosted on hosting companies. hosting companies don't have a single client, they have hundreds or thousands of clients and their websites. hosting company can host all those websites on their infrastructure and if one website is DDoS-ed, entire infrastructure could handle it

>>7367
>BTW this is why the web does not work.
it does work, for the jews. they have unlimited money because they print it, so they can buy unlimited DDoS protection, while also buying DDoS attacks against non-jews
jews aren't interested in fixing DDoS by design. a solution have to be the final solution, elimination of all jews and elites, then we won't have obstacle in fixing web

Nanonymous No.7391 [D]
>>7384
A DoS attack that works through flooding will flood the whole uplink that the server is on taking down every other site on that uplink. What you are describing is how it is already done and flooding DoS attacks still successfully happen. The thing that MITMFlare like companies offer you is the ability to use any uplink that they control instead of just the one you get from your website host.