Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


RootPrompt.org: Distributed Denial Of Service attacks. A proposal based on routing.

Apr 03, 2000, 13:52 (1 Talkback[s])
(Other stories by Fernando Schapachnik)

[ Thanks to Noel for this link. ]

"This paper describes a technique that -hopefully- can be used to defeat the recent DDOS attacks _in_real_time_. The solution presented here is based on routing. It requires a certain amount of extra network infrastructure."

"In order to be ready to a massive DDOS attack, example.com should change its network structure to something like:


                                 +--------------+
                      +----e-----+ stub network |
                      |          +--------------+
           +--------+ |
       -a--|        +-+          +---------------+
           |        |            |               |     +-----------------+
       -b--|  ISP   +-----d------+ example.com's +-----+ www.example.com |
           |        |            | border router |     +-----------------+
       -c--|        |            +---------------+     
           +--------+                                  10.0.0.2 and 10.0.1.2
                                                   10.0.0.1 and 10.0.1.1

        +---------------+
        | example.com's |
        | DNS server    |
        | where         |
        | www=10.0.0.2  |
        | and TTL=0     |
        +---------------+
"

"In case a DDOS attack against example.com is detected, the following actions should be carried on:
1- dial up connection to example.com's externally located DNS server (possible many of them in order to complicate DDOSing both www and DNS servers) to make www.example.com point to 10.0.1.2.
2- phone call to ISP to route traffic to 10.0.0.x to the stub network and start routing the 10.0.1 network. The ISP may also stop publishing the route to 10.0.0. This probably has a cost on BGP disaggregation and routing updates, but it may worth it, because as the routing updates propagate the attack stops nearer its source."

Complete Story

Related Stories: