|
Moderator note: The instructions in this thread will do nothing to protect you from a DDoS attack. The only way to prevent an attack is to avoid your IP address becoming public. |
On September 04 2012 06:47 LunaSea wrote:Show nested quote +On September 04 2012 06:44 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion. This will make you receive packets with significant delay, which at a certain point makes you're service ... denied. Which is the definition of a DDoS. Thank you but I wrote the definition in the OP. Next time read the thread before plz.
I feel like I just walked you through to understand how your system still doesn't work, and then you ignore that fact and tell me how it is the definition of a DDoS.
For the record I have a MS in Computer Science (granted my graduate research wasn't focused on network systems, but I feel like I have a reasonable grasp on this topic).
|
If a typical home user at an ISP gets DDoS'd, this is what is likely to happen (will vary a little with different ISP's).
1.) The ISP will push a /32 route to blackhole the traffic into the ISP's IGP, which will cause any of the ISP's routers that gets traffic destined for your address to throw it away straight away. This means the peering/transit routers at the ISP will discard it as soon as possible. It is possible if the attack is large and the ISP is small that even this won't be enough and the entire ISP's service will be degraded.
2.) They will arrange with upstream ISP's (certainly transit providers, and possible some peers if they see lots of attack traffic from that peer for them to blackhole this traffic at source). Sometimes this is an ISP's NOC calling another ISP's NOC, and sometimes this is with automated methods like announcing a /32 to them over BGP tagged with a special "discard" extended community.
Whatever happens, unless your ISP loves you, or you pay them a lot more than a typical home user, they are going to disconnect you until the attack stops.
|
On September 04 2012 06:11 Hryul wrote:
I think the arguments may be easily settled if somebody would run a test.
Yup, what he said. I have absolutely no idea which side is correct, but the simplest way to resolve this is to test whether it can block a simple DDoS attack. It doesn't have to be a huge elaborate setup to block an attack by dedicated hackers (from thousands of IP addresses), just sufficient to stop angry little kids with a bit of cash.
I dunno if this is feasible, but if you can trace which IP addresses are bombarding you, you can try to send that to the ISPs/police. If that fails, go to 4chan.
|
On September 04 2012 06:50 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:47 LunaSea wrote:Show nested quote +On September 04 2012 06:44 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion. This will make you receive packets with significant delay, which at a certain point makes you're service ... denied. Which is the definition of a DDoS. Thank you but I wrote the definition in the OP. Next time read the thread before plz. I feel like I just walked you through to understand how your system still doesn't work, and then you ignore that fact and tell me how it is the definition of a DDoS. For the record I have a MS in Computer Science (granted my graduate research wasn't focused on network systems, but I feel like I have a reasonable grasp on this topic).
It's funny that you say that I was under the impression that I was explaining DDoS to someone who was oblivious to networking.
|
On September 04 2012 06:52 LunaSea wrote:Show nested quote +On September 04 2012 06:50 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:47 LunaSea wrote:Show nested quote +On September 04 2012 06:44 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion. This will make you receive packets with significant delay, which at a certain point makes you're service ... denied. Which is the definition of a DDoS. Thank you but I wrote the definition in the OP. Next time read the thread before plz. I feel like I just walked you through to understand how your system still doesn't work, and then you ignore that fact and tell me how it is the definition of a DDoS. For the record I have a MS in Computer Science (granted my graduate research wasn't focused on network systems, but I feel like I have a reasonable grasp on this topic). It's funny that you say that I was under the impression that I was explaining DDoS to someone who was oblivious to networking.
He wasn't asking for an explanation. He was questioning your reasoning. It seems quite clear to me and several others in this thread.
|
If anyone is going to test this in practice
1.) Make sure you have a sufficiently large source of DoS traffic to actually make a difference.
2.) Get permission of the ISP you are DoS'ing before you do it.
I can go throw a few tens of gigabits around, but you know, I'm responsible and stuff 
|
On September 04 2012 06:45 Cinim wrote:
Please everyone, no one here seems to know at all what they are talking about, especially this Pumplekin guy, no offense but you're not really anything close to and expert.
He never said this was a perfect solution, especially because you have to block off connection to mostly every server out there, so this is a solution that only works in very very rare occasions.
You guys are going on about how big this would be IF it worked, but if it does work, the fact that it's a whitelist as he say and not a blacklist, is exactly why this isn't a great solution, unless you are in the unique situation that it is neccesary.
I suggest that people do 1 simple thing: actually test it out, someone stream, someone intentionally try and DDoS him, and see if it works, rather than argueing constantly for no reason. Everyone who worked with tech will know that nothing is ever certain when it's just theory. What they are saying is that when what is supposedly choked is not your home router to begin with, home router settings doesn't matter.
I'm not a network guy so I don't quite understand how for example 10 megabit per second of random data would choke a 100+ Mbps router, perhaps the OP can explain?
edit
Another question for the OP from a non network guy like me:
Maximum incoming data bandwidth from my ISP to my home router is a just a bit over 200 Mbps. If my IP is being sent say 5 Gbps of random data from a DDoS attacker, how will your home router filtering fix make it so incoming data that is not from the DDoS attacker reaches my router?
|
Actually if you own a website you can protect it from DDos attack, but you have to get webhosting from a specific hosting company that specializes in protecting dating and hack prevention, such as Ddos protected servers and or webhosting. Pricing often depends on bandwidth that you intend on using. Some plans that I have seen easily tack on $150-$350 dollars per year just for the Ddos pretection side of the service.
But just search "Ddos protected server hosting" in Google.com and you will find lots of companies.
Some of the companies have impressive measures for dealing with this issue. However protecting your own IP from Ddos requires changes that the OP has recommended.
|
On September 04 2012 06:54 Akta wrote:Show nested quote +On September 04 2012 06:45 Cinim wrote:
Please everyone, no one here seems to know at all what they are talking about, especially this Pumplekin guy, no offense but you're not really anything close to and expert.
He never said this was a perfect solution, especially because you have to block off connection to mostly every server out there, so this is a solution that only works in very very rare occasions.
You guys are going on about how big this would be IF it worked, but if it does work, the fact that it's a whitelist as he say and not a blacklist, is exactly why this isn't a great solution, unless you are in the unique situation that it is neccesary.
I suggest that people do 1 simple thing: actually test it out, someone stream, someone intentionally try and DDoS him, and see if it works, rather than argueing constantly for no reason. Everyone who worked with tech will know that nothing is ever certain when it's just theory. What they are saying is that when what is supposedly choked is not your home router to begin with, home router settings doesn't matter. I'm not a network guy so I don't quite understand how for example 10 megabit per second of random data would choke a 100+ Mbps router, perhaps the OP can explain? edit Another question for the OP from a non network guy like me: Maximum incoming data bandwidth from my ISP to my home router is a just a bit over 200 Mbps. If my IP is being sent say 5 Gbps of random data from a DDoS attacker, how will your home router filtering fix make it so incoming data that is not from the DDoS attacker reaches my router?
Router filtering won't fix anything. This is what we've been trying to explain the OP for 4 pages now...
|
Yeah, DDoS protection is a specialist service, and it certainly isn't something you are going to get on a typical home user internet connection. It is part science and part art, and at the end of the day, if you the attacker has a big enough botnet, it may well not be enough.
You can also outsource DDoS mitigation to someone like Prolexic, who have a bunch of options for DDoS mitigation, none of which are likely to be useful to a typical home streamer (but WILL be useful to someone with a real internet connection and some money, and a real loss to be measured if they are being DDoS'd).
If someone sold a DDoS protected VPN service (that wasn't a joke), and you were happy to always use the VPN, this might be a useful product. Remember though you get what you pay for, and someone thats going to do a good job against a real attack isn't likely to be cheap (I've no idea what sized attacks are hitting streamers).
|
On September 04 2012 06:43 Senx wrote:
I had no idea we had so many network engineers on this website. Jesus christ so many convincing arguments from so many people..
To be fair, within the confines of the thread the OP has made a example situation, posters like pimple kin have replied with what would happen, and then he affirmed that would happen but still doesn't agree. Perhaps it's the bad English but this seems pretty black and white.
The DDoS doesn't work on your router, it works on your ISP feeding to your router. So if the DDoS is 1Gb, and you have less than that received from your ISP, the data will be discarded and you will only receive whatever your ISP is paid to give you. So, none of this can be solved by whitelisting because the problem isn't at the router.
|
if somebody DDoS my DSL connection, changing my home router settings would not magically turn my phone wires into fiber
|
Maybe someone should draw a picture. I find pictures often do help when words seem to fail to reach their target. Maybe something nice with cars and a road maybe, just something that connects on a more basic understanding.
|
This is no solution, and it does not need to be tested because the concept itself is fundamentally flawed.
edit: came off a bit dickier than I intended.
|
On September 04 2012 07:46 maoiste wrote:
Maybe someone should draw a picture. I find pictures often do help when words seem to fail to reach their target. Maybe something nice with cars and a road maybe, just something that connects on a more basic understanding. If I got some technical detail wrong someone will hopefully correct me.
edit
couple of clarifications
![[image loading]](http://i.imgur.com/WwywX.png)
|
On September 04 2012 08:26 Akta wrote:Show nested quote +On September 04 2012 07:46 maoiste wrote:
Maybe someone should draw a picture. I find pictures often do help when words seem to fail to reach their target. Maybe something nice with cars and a road maybe, just something that connects on a more basic understanding. If I got some technical detail wrong someone will hopefully correct me. ![[image loading]](http://i.imgur.com/wop6L.png)
All wrong.
The internet is NOT a big truck; it's a series of tubes.
|
Is there any reason (legal?) Twitch doesnt offer VPN Accounts for their Premium Streamers? They already got the bandwith to dwarf most attacks. And people might be less inclined to fuck with a company.
|
On September 04 2012 08:26 Akta wrote:Show nested quote +On September 04 2012 07:46 maoiste wrote:
Maybe someone should draw a picture. I find pictures often do help when words seem to fail to reach their target. Maybe something nice with cars and a road maybe, just something that connects on a more basic understanding. If I got some technical detail wrong someone will hopefully correct me. ![[image loading]](http://i.imgur.com/Joy2t.png)
there should not be a car accident blocking the road
|
i know nothing about DDoS, but pumplekin's posts have the best grammar, so i guess he's right.
-_-
|
|
|
|
|
|
|
|
EPT
