1

I have been thinking about a way to hinder DDos (Distributed Denial of Service) attacks (which seems to be a hot topic at the moment) by placing a signed Java Applet on the web site. This Java Applet should function as a web server so people viewing a web site could utilize their bandwidth to help others access the same web site. The Java Applet should not be included on the front page, but only if you clicked on a link like: "Help us against DDos attacks". Of course the first web page to get distributed to the web server, would be the front page, and just doing this should alleviate a lot. There are a lot of issues with this, which I simply lack the knowledge to solve.

  1. Could this be utilized to help against DDos attacks?
  2. Would it be possible to do this in such a way that one can guarantee that the content that the distributed web servers sends out is the actual content of the page?

The distributed web servers could communicate with eachother, so they could organize themselves in hierarchies according to bandwidth etc.

There would need to be a central server to decide what content to present and which servers to utilize, but maybe it could be configured on only communicate with the Java applets so it would only accept incoming connections from certain IP addresses or something like that?

I believe that lots of people would keep this page running in the background to help out vulnerable web sites.

Please help me think outside the box on this issue, because there is a web site, I would really like to help out.

David
  • 437
  • 1
  • 5
  • 11

4 Answers4

3

This is highly unlikely to succeed. Here is why:

  • Despite your claim otherwise, you will not be able to distribute the applet once you are a victim of DDOS, because few or no legitimate users will be able to reach your site and download the applet. Remember, a browser applet is lost once you leave the page.
  • Even if you could convince people to download a standalone applet as a kind of p2p client (which then could be written in any language) an attacker can plan for this and also attack your p2p infrastructure, thus DDOSing all your users as well.
  • I can't see how you will inform regular user browsers to use your p2p applets when your network is down because it is under attack.

In short: Although your idea sounds nice, it won't help you against DDOS attacks.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • I consider this similar to bittorrent. Why haven't the content providers been able to stop spreading of new films by utilizing DDOS attacks against those that share the files? – David Dec 05 '10 at 12:54
  • Because it would be illegal, and the collateral damage would be huge. – Sven Dec 05 '10 at 12:59
  • Could it be possible inform the DNS to redirect the requests to the peer with available bandwidth right now or is there too much latency on updating such things? – David Dec 05 '10 at 12:59
  • No, it wouldn't be possible. The latency can be up to a day and once you update the DNS, the attacker knows it's next target. Frankly, it appears that you don't know anything about how networks, browsers, java applets or DNS work, so maybe you should learn about that first before trying to solve problems unsolved for decades. – Sven Dec 05 '10 at 13:16
  • ;) I think you are right SvenW. I mostly get into a field after believing that I have a new idea in that field. And now I have gained some knowledge. Thanks! – David Dec 05 '10 at 17:26
2

DDos is a hot topic whenever some big guy decides it's time for some viral marketing so they can sell their awesome blackbox product. What you are talking about is peer to peer web hosting, something freenet does. p2p web hosting doesn't solve ddos problems. the master nodes and other related services (dns?) are still vulnerable. DDOS doesn't mean just hitting a web page or sending syn-only traffic from multiple zombie machines. Things get much smarter depending on what money are in the game. DDos means you will probably not even be able to distribute your applet to some initial number of visitors (supposing you will ever design a good algorithm for this). You will always have some failure points in your solution, distributed or not.

user237419
  • 1,663
  • 8
  • 8
  • You will be able to distribute the applet in the first place one way or another. I see the problem with DNS is a good point, but you are not thinking outside the box in terms of the master node. You are very unspecific when you refer to "other services" and "things get much smarter". I have nothing to work with here, and i do not like unspecific negativ feedback. – David Dec 05 '10 at 11:26
  • I gave you an upvote, nevertheless. – David Dec 05 '10 at 11:36
  • Freenet is interesting but it is a serious limitation that one has to install software to utilize it. Java Applets are so much better because there is no installation process apart from accepting the signed applet. – David Dec 05 '10 at 11:48
  • @David: unspecific on "other services": ofcourse, I am, enumerating "other services" is case-specific; think "services bound to the running platform"; i mentioned DNS because it's surely used everywhere; DDos is a big subject: how "specific" can you be without writing a book already old when finished? I mentioned Freenode as a p2p net example, not to be used as an anti ddos solution. Ever. – user237419 Dec 05 '10 at 15:54
  • "things get much smarter": attacks not following (or being developed based on) well known attack patterns. – user237419 Dec 05 '10 at 15:57
0

Yes, loadbalancing can be a solution to fight DDoS attacks.

Jeff
  • 441
  • 2
  • 5
  • 10
0

http://cipherdyne.org/psad/download/ You can read this tutorial.

Ddos atack is syn ,acc and another bad pakage.

This is simple rule to stop SYN ACC in sysctrl

Enable IP spoofing protection, turn on Source Address Verification

net.ipv4.conf.all.rp_filter = 1

Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

ntrance
  • 392
  • 2
  • 2