8

I've read about DDoS attacks and specially the amplification techniques. For example, the DNS amplification technique where you can send queries to open resolvers pretending to be the victim, then [if nobody is filtering packets] the victim will get all the responses and if the traffic is high enough, get overwhelmed and stop functioning the way it is supposed to.

If I understand that correctly, the DNS response will be sent from the open resolver with an arbitrary destination port that the victim is not listening to (cuz he didn't make the request, thus not waiting for a response on that port!). How does that affect the victim? Can you get overwhelmed by receiving too many packets wrongly addressed to a port where you are not listening? Is it an expensive operation to ignore packets? Or am I getting it wrong somehow?

Polynomial
  • 132,208
  • 43
  • 298
  • 379
amyassin
  • 475
  • 2
  • 10
  • @amyassin In order to deny traffic, you have to read some of the data. That's because your computer needs to know what the port number or IP address's are. – Kayla Mar 07 '15 at 00:32
  • 3
    How come the air is filled with excess sound waves if I'm not listening to the music from that loud speaker? – Lie Ryan Mar 07 '15 at 01:14
  • 1
    We expect you to do a significant amount of research before asking. [The Wikipedia page on DDoS](https://en.wikipedia.org/wiki/Denial-of-service_attack) already explains how this works. So what specifically is your confusion? If you haven't read the Wikipedia article (or that level of explanation of DDoS), you certainly haven't done enough research on your own before asking. This site [is for IT Security professionals](http://security.stackexchange.com/help/on-topic); professionals do their research. – D.W. Mar 07 '15 at 01:27
  • Possible duplicate of http://security.stackexchange.com/q/4667/971 (which was the first question that the site automatically picked under the Related column). See also http://security.stackexchange.com/q/22809/971 (also auto-suggested as Related). – D.W. Mar 07 '15 at 01:30
  • Like always, the "professional" that pops to RTFM people is the least understanding person of what the question is about... – amyassin Mar 07 '15 at 07:18

1 Answers1

11

Ignoring packets is cheap, but if your connection is unable to handle the sheer volume of traffic per second then you're going to fall down hard. The only answer at that point is to filter traffic upstream of you. Because things are distributed and high performance routers really don't like consulting a large routing table just to play whack-a-mole on which hosts to drop, that can get unwieldy.

That last part is what makes a DDoS so effective: that it's hard to reroute traffic upstream. CloudFlare makes a business out of having enough bandwidth to absorb all the traffic and deal with it without having to filter upstream at providers.

Schism
  • 107
  • 4
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 2
    Oh so the trick is to saturate the link with garbage, not overwhelm the server processing powers?? – amyassin Mar 06 '15 at 21:45
  • I understand that Cloudflare can have enough bandwidth to absorb all the traffic, filter it and only send the real client to you. But, if the attacker find your real IP (not your fake cloudflare IP), you will still be vulnerable to DDoS right? – Gudradain Mar 06 '15 at 22:00
  • to overwhelming your link? I guess so. But not other types if you are filtering your traffic to only accept traffic from cloudflare IP addresses.. – amyassin Mar 06 '15 at 22:30
  • 1
    @Gudradain Yes, you are supposed to do your best to hide your real IP. CloudFlare has a blog post on this subject: https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/ – tlng05 Mar 06 '15 at 22:44
  • CloudFlare also has the benefit of being able to use anycast routing to distribute the load of the attack away from the target - a luxury you don't have at the ISP level, let alone at your router. – Polynomial Mar 06 '15 at 23:29
  • @amyassin in this case, yes. Not every attack depends on sheer bandwidth exhaustion (you can exhaust other resources in server software, OS kernels, or routing hardware), but a distributed attack with amplification makes it possible to overwhelm even a fat pipe to the point that legitimate traffic gets dropped. – hobbs Mar 07 '15 at 03:54