1
I was thinking, if a DDoS attack can come in 2 ways:
Why don't network administrators limit IP connections, to let's say 3 users/IP's and set a limit on their bandwidth?
I don't see the problem. I know many software products, such as NetLimiter 3 Pro, that work fine to limit bandwidth, but they don't limit users/IP's.
Marcus N
Posted 2013-10-04T22:33:35.307
Reputation: 39
6
Well, firstly, let's define the term "DDOS". That stands for Distributed Denial Of Service, keyword being distributed. If you limit the number of connections per IP, it doesn't matter, because you have a hundred thousand different IP addresses hammering your system.
So you limit by request size. Great, how do you distinguish between some guy F5ing and a node in a botnet?
But whatever, let's say we have a magic behavioural analysing algorithm. DDoS attacks seek to exhaust server resources and ensure the machine is not reachable--throwing complex data analytics at a problem caused by resource starvation is going to exacerbate the issue, not solve it.
The unfortunate fact of the matter is, even ignoring a connection takes some resources. You could consider looking into a service like Cloudflare, which mixes caching for low resource usage per request with (I believe) human aided DDoS detection, but re-implementing this service yourself is likely out of scope for most projects and would massively increase complexity.
Phoshi
Posted 2013-10-04T22:33:35.307
Reputation: 22 001
Okay, I just dont know why nobody invented more security, ... its been years since internet and ports was invented. But I understand, you mean that computer virus that DDOS without you knowing it, with thousands of computers. THNX. – Marcus N – 2013-10-04T22:50:31.560
@MarcusN - The whole point is every single one of those connections could be a real connection. While you can place in some prevention like Cloudflare which will serve cache content instead of live content it still cannot tell the difference between a fake or real connection. – Ramhound – 2013-10-04T22:52:30.753
Ahaa, I should tell the DDOSED MMORPG owners CIPSOFT that o_O maybe they could make a solution. Ok interesting:P – Marcus N – 2013-10-04T22:54:43.630
@MarcusN: There is no solution in the general case. Even throwing up a black hole over entire IP ranges still requires your network hardware to identify and discard those connections, which still takes resources. You can make it harder, of course, but a DDoS attack relies on sheer scale, and in order to beat an attack which can scale up almost indefinitely you would need a machine capable of doing infinite work, which is impossible. – Phoshi – 2013-10-05T12:50:33.597
0
You can't limit them. If someone is shooting bullets at you, how do you impose a limit on how many bullets they can fire at you? By the time the bullet gets to you, the damage is already done.
David Schwartz
Posted 2013-10-04T22:33:35.307
Reputation: 58 310
Well, in this analogy you'd have to be god and able to heal yourself from a bullet wound as soon as the shooting stops. – Jon – 2013-10-05T01:11:36.543
1The best analogy I have ever heard of a DDOS is a magnifying glass. If you take the light from the sun and let it fall on your hand it feels nice, but if you take a magnifying glass and focus that same amount of light on to a single point it causes the damage. Its the same light, nothing changed it is just focused. Like a DDoS, its the same packets, in fact it could be legitimate requests, but a large mass botnet focused on a single server/website with many many more requests than it was designed to handle causes the problem. – Scott Chamberlain – 2013-10-05T03:02:25.393
1my metaphor for networking always focuses on water in a pipe. if your town is flooded, your storm sewer system is flooded as well, so because the pipes are full, water from the street can't move into and through the system at an optimal rate. – Frank Thomas – 2013-10-05T04:54:40.830
3How do you distinguish between legitimate traffic to a popular website, versus a DDoS? – None – 2013-10-04T22:35:17.607
If you see 100 ips with same download rate, maybe you see. Or if you have 1 ip downloading all of your internet, ........... – Marcus N – 2013-10-04T22:36:16.550
1So it depends, right? No algorithm is going to solve it without some form of intelligence. That's where people like CloudFlare come in. – None – 2013-10-04T22:37:04.020
1Can you rewrite the question? Besides being hard to understand what you are really asking, this will get a lot of opinion-based answers. – Doktoro Reichard – 2013-10-04T22:38:22.873
No, I cant write any better question; im just wondering why DDOS cant be prevented. - edit - close it if you need – Marcus N – 2013-10-04T22:39:28.670
2
I then refer you to the about page and the help page. It seems to me like a lack of respect when you didn't even bother to read what is expected of the community.
– Doktoro Reichard – 2013-10-04T22:46:13.343Keep in mind, there are more than the two types. pretty much any form of DOS attack can be made better by distribution, so application layer attacks (bad input to your app which crashes it) , internetwork layer attacks (magic packets, ack/rst/fin floods), and physical layer attacks (frag buffer overflows, offset fragment attacks, rx buffer overflows) can all be distributed, in order to increase the impact of the attack. as such, you need well coded apps, and hardened network stacks in addition to packet analysis and firewalling. to sum up, DOS is a generic name for a large family of attacks. – Frank Thomas – 2013-10-05T05:03:33.253