|
Moderator note: The instructions in this thread will do nothing to protect you from a DDoS attack. The only way to prevent an attack is to avoid your IP address becoming public. |
On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet.
Why would that matter at all?
The thing is simply that some host in the internet bombs your IP with packets, and your ISP will forward all these packets until they reach your router. You are free to drop them at the router level, but the bottleneck is between you and your ISP. Filtering at the router has no effect whatsoever in the scenario of a (D)DoS as the bottleneck will also be choked no matter what you filter at the router.
|
On September 04 2012 05:13 Tao367 wrote:Show nested quote +On September 04 2012 05:07 Pumplekin wrote: I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do). 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it.
Skype etc. is actually THE way that people gather IP adresses, and it's not news, most people have known it for many years now, nothing new... if just all providers would provide static IP adresses there wouldn't be any issues )
Edit: dynamic, not static
|
On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet.
Right, but B cannot send an unlimited amount of data to C, so if A floods B with 1,000,000 packets to go to C then the other data which B was going send to C might not get sent.
So doing something at the C end doesn't seem like it would help ... right?
|
On September 04 2012 06:28 Cinim wrote:Show nested quote +On September 04 2012 05:13 Tao367 wrote:On September 04 2012 05:07 Pumplekin wrote: I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do). 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it. Skype etc. is actually THE way that people gather IP adresses, and it's not news, most people have known it for many years now, nothing new... if just all providers would provide static IP adresses there wouldn't be any issues )
You mean dynamic IP addresses? If all providers used static IPs then this would actually suck pretty hard in terms of DDoS, since if your IP only leaks one single time then you can theoretically be flooded forever.
|
On September 04 2012 06:28 pmp10 wrote:+ Show Spoiler +On September 04 2012 06:10 LunaSea wrote:Show nested quote +On September 04 2012 06:06 pmp10 wrote:+ Show Spoiler +On September 04 2012 05:51 LunaSea wrote:Show nested quote +On September 04 2012 05:47 pmp10 wrote:On September 04 2012 05:41 LunaSea wrote:On September 04 2012 05:38 pmp10 wrote: Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router? That's essentially worthless - router CPUs are not overburdened during an DDoS attack. The network resources are. Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets. Your tcp connection (window?) will receive only what gets through the ISP/buffers ect. So essentially not much - certainly very little of what you are hoping for. The TCP window is a buffer. Nice try mister professional. Pretty sure it isn't. Last I recall buffer was a kind of a memory while a window a part of TCP packet but maybe things have changed. Show nested quote +The simplest way of considering the window size is that it indicates the size of the device's receive buffer for the particular connection. -- http://www.tcpipguide.com/free/t_TCPWindowSizeAdjustmentandFlowControl.htmplz ... Please look up those terms somewhere more reputable, Gross oversimplification and completely mismatched definitions won't help your education. Buffer is about as much a TCP window as operating system is a RAM. TCP window can set buffer size but they are completely different things.
I did projects around sequence number guessing exploits using window size and OS window scaling. I think I know more on that subject that what you can grasp.
|
Okay, almost sick of this now, but let us just imagine this situation.
A is me, I'm the attacker. Lets imagine I run, from a host with a 1gbit/s internet connection a udp flood attack, which just generates a bunch of random UDP packets (all from the same, non-spoofed) address, and sends them to your public IPv4 address.
B is your ISP, and you have a 10mbit/s connection to your ISP. Lets assume otherwise your ISP is amazing and has multiple 10gbit/s links everywhere, and can easily carry the 1gbit/s all the way down to your DSLAM or BRAS or whatever it is that your access circuit is connected to. Lets further define B as this BRAS or DSLAM. Lets also just assume you are using DSL and a DSLAM to make this easy to talk about.
C is your router.
I start the attack, and the first UDP packet arrives B. It delivers it down your DSL line. Because my 1gbit/s is 100 times faster than your 10mbit/s connection, while that packet was being delivered down the DSL line, 99 more packets arrived at B, which put them into a buffer.
Then the 2nd of my attack packets is played out the DSL line, and while that is going, 99 more packets arrive. You now have 198 packets in B's buffer. We repeat for the 3rd packet, and you now have 297 packets in B's buffer. This continues until B's buffer is full or filling. What happens then depends on the buffer management strategy in B, which may be tail-drop, it may be RED or WRED or some other congestion control mechanism, but at the end of the day, all these different strategies are is different ways to decide what to throw away when your buffers are full.
Now with this attack going, something legit tries to send you a packet (say it is the SYN+ACK to the web request you just made to teamliquid.net). Unless that packet arrives at JUST the right time at B, it is going to be discarded. Even if it DOES arrive at just the right time, the odds of the NEXT packet (the first of the HTTP payload) also arriving at JUST the right time is super slim. Effectively you are trying to use an internet connection with 99% packet loss, and that just is never going to work well at all.
|
|
On September 04 2012 06:34 .syd. wrote:Show nested quote +On September 04 2012 06:28 Cinim wrote:On September 04 2012 05:13 Tao367 wrote:On September 04 2012 05:07 Pumplekin wrote: I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do). 2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible). 3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it. Skype etc. is actually THE way that people gather IP adresses, and it's not news, most people have known it for many years now, nothing new... if just all providers would provide static IP adresses there wouldn't be any issues ) You mean dynamic IP addresses? If all providers used static IPs then this would actually suck pretty hard in terms of DDoS, since if your IP only leaks one single time then you can theoretically be flooded forever. Yes, I meant dynamic xD static is ofc the opposite of what you would want
|
On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...]
Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle.
|
On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle.
You don't pay for that much bandwidth, therefore you will not be sent that much data.
You seem to be mixing what is theoretically possible, and what is actually implemented.
|
On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented.
There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion and packets will be dropped by the ISP.
|
I had no idea we had so many network engineers on this website. Jesus christ so many convincing arguments from so many people..
|
On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion.
... which is the purpose of a DDoS attack
|
@Luna: Your clarification on page 2 yourself should have made what Pimp, trG etc are trying to say clear. They're pretty much saying the path to your router gets shited up by a DDoS and nothing you do on your side will increase the ize of your allocated bandwidth path so thus blocking on your final end is indeed quite useless.
And No ISPS will not simply increase your bandwidth so they can suddenly account for your burst of incomming data. Itll get clogged and wait till you yourself deny it on your end.
|
On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion.
This will make you receive packets with significant delay, which at a certain point makes you're service ... denied.
|
On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle.
I want that kind of connection. A gigabit+ download bandwidth all to myself?
You do realize that the ISP has to police your bandwidth somehow, else they would have to supply a fiber connection to every customer.
|
Please everyone, no one here seems to know at all what they are talking about, especially this Pumplekin guy, no offense but you're not really anything close to and expert. He never said this was a perfect solution, especially because you have to block off connection to mostly every server out there, so this is a solution that only works in very very rare occasions. You guys are going on about how big this would be IF it worked, but if it does work, the fact that it's a whitelist as he say and not a blacklist, is exactly why this isn't a great solution, unless you are in the unique situation that it is neccesary.
I suggest that people do 1 simple thing: actually test it out, someone stream, someone intentionally try and DDoS him, and see if it works, rather than argueing constantly for no reason. Everyone who worked with tech will know that nothing is ever certain when it's just theory.
|
On September 04 2012 06:45 Cinim wrote: Please everyone, no one here seems to know at all what they are talking about, especially this Pumplekin guy, no offense but you're not really anything close to and expert. He never said this was a perfect solution, especially because you have to block off connection to mostly every server out there, so this is a solution that only works in very very rare occasions. You guys are going on about how big this would be IF it worked, but if it does work, the fact that it's a whitelist as he say and not a blacklist, is exactly why this isn't a great solution, unless you are in the unique situation that it is neccesary.
I suggest that people do 1 simple thing: actually test it out, someone stream, someone intentionally try and DDoS him, and see if it works, rather than argueing constantly for no reason. Everyone who worked with tech will know that nothing is ever certain when it's just theory.
The "Pumplekin guy" does know what he's saying. And i know a fair bit about it too as i have a degree in network engineering.
|
On September 04 2012 06:44 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion. This will make you receive packets with significant delay, which at a certain point makes you're service ... denied.
Which is the definition of a DDoS. Thank you but I wrote the definition in the OP. Next time read the thread before plz.
|
On September 04 2012 06:44 karpo wrote:Show nested quote +On September 04 2012 06:37 LunaSea wrote:On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote: I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. I want that kind of connection. A gigabit+ download bandwidth all to myself? You do realize that the ISP has to police your bandwidth somehow, else they would have to supply a fiber connection to every customer.
Move to Lund ^^
http://labs2.com/brikks/kundreferenser/gigabit-i-lund
|
|
|
|