Is it possible - in theory - to stop1 a DDoS attack of any size? Many people claim it's impossible to stop DDoS attacks and tell me I just shouldn't mess with the wrong people on the internet.
But what if, in like 5 years, everyone is able to rent a botnet? Shouldn't we just re-think the whole internet architecture then?
1: by stop I also accept remove the negative effects aka keep the service running.
Imagine a shopping mall. By definition, anybody can enter the mall and then browse the shops. It is public. The shops are expecting people to come by, look at the displays, maybe enter and then buy things.
In the mall, there is a shopkeeper, who sells, say, computers. Let's call him Jim. He wants people to come by and see the computers and be enticed into buying them. Jim is the nice guy in our story.
Let there be Bob. Bob is a disgruntled nihilist who hates Jim. Bob would go to great lengths to make Jim unhappy, e.g. disrupting Jim's business. Bob does not have many friends, but he is smart, in his own twisted way. One day, Bob spends some money to make the local newspaper publish an ad; the ad states, in big fonts and vivid colours, that Jim runs a great promotion at the occasion of his shop's tenth birthday: the first one hundred customers who enter the shop will receive a free iPad. In order to cover his tracks, Bob performs his dealings with the newspaper under the pseudonym of "bob" (which is his name, but spelled backwards).
The next day, of course, the poor Jim is submerged by people who want a free iPad. The crowd clogs Jim's shop but also a substantial part of the mall, which becomes full of disappointed persons who begin to understand that there is no such thing as a free iPad. Their negativeness makes them unlikely to buy anything else, and in any way they cannot move because of the press of the crowd, so business in the mall stops altogether. Jim becomes highly unpopular, with the ex-iPad-cravers, but also with his shopkeeper colleagues. Bob sniggers.
At this point, Jim contacts the mall manager Sarah. Sarah decides to handle the emergency by calling the firemen. The firemen come with their shining helmets, flashing trucks, screaming sirens and sharp axes, and soon convince the crowd to disperse. Then, Sarah calls her friend Gunther. Gunther is a son of German immigrants, a pure product of the US Melting Pot, but more importantly he is a FBI agent, in charge of the issue. Gunther is smart, in his own twisted way. He contacts the newspaper, and is first puzzled, but then has an intuitive revelation: ah-HA! "bob" is just "Bob" spelled backwards ! Gunther promptly proceeds to arrest Bob and send him meet his grim but legal fate before the county Judge.
Finally, in order to avoid further issues with other nihilists who would not be sufficiently deterred by the vision of Bob's dismembered corpse put on display in front of the mall, Sarah devises a mitigation measure: she hires Henry and Herbert, two mean-looking muscular young men, and posts them at the mall entries. Henry and Herbert are responsible for blocking access should a large number of people try to come in, beyond a given threshold. If a proto-Bob strikes again, this will allow the management of the problem on the outside, in the parking lot, where space is not lacking and crowd control much easier.
Morality: a DDoS cannot be prevented, but its consequences can be mitigated by putting proactive measures, and perpetrators might be deterred through the usual, historically-approved display of muscle from law enforcement agencies. If botnets become too easy to rent, predictable consequences include increased police involvement, proactive authentication of users at infrastructure level, shutting off of the most disreputable parts of the network (in particular Internet access for the less cooperative countries), and a heavy dose of disgruntlement and sadness at the loss of a past, more civilized age.
Despite what others are saying, yes you can.
Many major corporates have very effective solutions, and even the recent Spamhaus battle, which used DNS DDoS at a scale that hasn't been seen previously was covered rapidly once CloudFlare were brought on board.
The solutions I have tested are very effective at transferring DDoS traffic, even when it is a mirror of real, valid traffic. For some of these tests, cutover was sub-millisecond and had almost no measurable effect on legitimate traffic.
These work by dynamic rerouting protocols, and in principle could work anywhere. The reason they are only used by large corporates is they cost a lot.
A sensible fix is for all ISPs is to fleet outbound traffic and share filter lists-this could prevent DDoS attacks entirely. It would just require users and companies to demand it off their ISPs and move from any who didn't provide this service. Eventually any ISP that didn't provide it would just be blacklisted.
No, it is not possible, in theory or practice. A well enough distributed DDoS attack is indistinguishable from legitimate traffic.
Consider the "slashdot" or "reddit" or "digg" effects, where actual legitimate traffic takes down network services on the target website. Simply posting a link to the target website on slashdot is an effective DDoS in many cases.
Well, you can scale infrastructure to make it more difficult for a botnet to keep up enough traffic to disable the service, but ultimately, the only counter if a DDoS is using otherwise legit traffic to cause issues, all you can do is increase your bandwidth to be higher than theirs. If you can identify a source as rogue, then you can try to block the traffic from being processed by your server (which will reduce CPU and memory load) but you still have to deal with the traffic being flung which the Internet is going to deliver.
There are in principle ways to stop a DDOS:
The simplest way is to just throw more resources at it. Good luck trying to take down amazon.com or google.com. Combine a round-robin DNS entry with tons of cloud servers and it get's really hard to DDOS you.
Not everyone can afford such immense resources, but that's what services like CloudFlare are for. If you become their customer, they provide the resources (proxies, bandwidth), and as soon as you need it, allocate it to you. It's like an insurance, a lot of people share the investment, and you benefit from it when needed.
DDOS traffic often is distinguishable from legitimate traffic.:
Last but not least, a lot more could be done with cooperation from your ISP, or the backbone providers. If the attack is geographically concentrated, temporarily stop routing data from that region to your servers. I assume these kind of strategies will have to be used more widely in future.
(In Tom Leek's analogy: Imagine Bob made his free iPad offer only to black / Chinese / caucasian / ... people. Now hire a racist security guard. You'll stop the onstorm of fake customers, but at a price, namely that you'll anger some legitimate customers. (Needless to say, please don't do that in reality.))
Just for completeness, if you know who is attacking you, you can retaliate. Either legally by calling the authorities, or by paying them back in their own coin and attacking their servers (but please dont!).
There are things you can do but you will never be 100% protected.
I was recommended Fail2Ban firewall for my site on this forum before and that helped. Basically one fail2ban detects similar activity x amount of times in its log files it bans that ip.
Blocking all non-used ports also helps.
I guess with a p2p-only architecture it might be possible... But it would require many changes in how computers behave, and it would involve sluggishness for many small websites. It's a good question.
When you have a network architecture that allows centralization, it will always allow DDOS. To be able to prevent those, you would need the whole internet infrastructure to become DDOS aware, meaning, all request to a certain IP would be filtered out when a bottleneck is detected. It would be really expensive to implement such feature because routers are designed to be fast, and would require a "DDOS containment mode" that would check packet target addresses, which would be slow. The website would still end up unresponsive or unreachable, but not crashing.
Another way would be to enable website to have some sort of mirror/broadcast system to repeat content. Broadcast means the content is automatically repeated by routers. But it would require to not change often, which would be a severe requirement, and not many website could afford it since it's expensive.
Honestly I don't really consider DDOS like an attack or a security problem. Botnets are.
The cheapest, most effective and easiest way to block a DDoS-Attack:
As soon as the server recives more requests than it can handle, a "Secure-Mode" switches on. In this Mode, every requesting IP-Address gets a minimal HTML-Site, the smaller the better, consisting of a warning of a live DDoS-Attack and a captcha-Prompt:
The IP-Addresses which enter the correct captcha go to a white list allowing to browse the site as usual. After the requests get lower again, the "Secure-Mode" turns off
I'm loving the shopping mall answer. So here's some more detail. What happens when mall is protected but the car-park starts to fill up?
Firstly, no, it's not possible to stop an attack of any size with the current internet architecture. A well funded large ISP you can stop pretty big ones though.
But (roughly) as long as the attack is smaller than the size of your ISPs inbound connections they can have a good go at keeping things running. But they need some fancy technology.
The best stuff I ever had much to do with has two stages.
The first stage identifies possible peaks in traffic caused by DDoS activity. A company called Arbor networks specialise in this (http://www.arbornetworks.com/)
Then the network is commanded to take all the traffic for the destination and re-route it to DDoS scrubbers. Each scrubber can handle a certain amount of traffic and they do a good job of picking the valid traffic out of the noise.
The scrubber then forwards the valid traffic on to the original site.
Depending. If a DDoS of the size of just 1 byte over a half of the internet is launched on the rest, the entire Internet will be down. But that is almost impossible. Normal DDoS attack can be absorbed but not stopped. In the example above by Tom Leek, the security guy can handle only so much people, if the entire world come flooding in, they can do nothing. Same is with DDoS. You can pay CloudFlare, Incapsula,... to be the guard but with enough power, a DDoS will take them down.
A common solution at the megacorporation level: Buy enough bandwidth/servers to accommodate both legitimate users and DDoS at the same time.
Outside of throwing equipment at the problem. the only other solution is constant widespread public vigilance. Too many people are sloppy with their computers and allow them to get backdoored or maliciously remote controlled. Some device manufacturers are also sloppy with Internet-enabled home electronics, configuring them poorly and leaving them vulnerable to hacks.
General rule of thumb: ban incoming connections when you aren't using them. If you set your computer up to block all incoming connections, no one can remote control it (except for extremely degenerate instances of backdoors/"zombieware" that actively establish connections with servers to read commands from).
Most of the time, the average computer user shouldn't need to allow incoming connections. If you must, only unblock the specific ports/programs that need incoming connections, and then block the incoming connections again once you're finished with those ports/programs.
IOT devices are somewhat more difficult. You can't just have them block all incoming connections because they're designed to be remote controlled.
There is research on the topic and in theory there seem to be ways to stop DDOS attacks.
Here is a talk from Adrian Perrig about SCION, a working prototype for a new network architecture. This should be the article about the part of the system that does DDOS mitigation. Of course they make assumptions about attacking botnets and such.
As others have noted, if your attacker is powerful enough to make the DDOS attack look like legitimate traffic you are essentially in the same situation as if you had not enough resources for all your users. Therefor this case cannot be prevented.
The main thing that DDoS attackers are taking advantage of is a centralized resource that they can overwhelm with traffic. If you make the application so that it is highly distributed DDoS attacks are not effective.
Exactly this has been done with DNS infrastructure and anycast. Google DNS for example is at 8.8.8.8 But they use anycast so the actual machines handling requests to 8.8.8.8 are scattered in data centers all over the world. So DDoS attacks directed at 8.8.8.8 will also be split up and distributed which is not the goal of a DDoS attacks. Not to say that this makes it impossible but far, far less effective.
Unfortunately all applications aren't designed to run behind an anycast ip. But the overall approach is the best defense. Make the app highly distributed and DDoS effectiveness decreases.
