|
Moderator note: The instructions in this thread will do nothing to protect you from a DDoS attack. The only way to prevent an attack is to avoid your IP address becoming public. |
Hello everyone,
Introduction :
For people that don't know what a DDoS is, you might want to read the Wikipedia article before :
Wikipedia - Denial of service attack.
tl;dr : A cyber attack that consists in spamming the target with generally chunked or invalid messages.
After a while the target's router can't handle the traffic, generating a lot of lag and sometimes overheating the router.
Two days ago I read that JP "itmejp" McDaniel got DDoS'ed while streaming his show "Real Talk" with Dan "Artosis" Stemkoski.
This is not the first time that a stream or a tournament gets interrupted by this type of attacks.
Some of the most known victims count team Evil Geniuses (EG), the "Real Talk" show, Destiny and countless tournaments like "Gigabyte eSports LAN Invitational".
I think that in the future they will only get more frequent, thus threatening eSport's stability.
This post is mainly addressed to streamers, players and tournaments who rely on a stable Internet connection.
It will try to explain one way of protecting yourself from DDoS.
Dilema :
When you talk of a DDoS attack in a case where your website is the victim, you can't do much about it.
There is no tool or technique that will protect you from being DDoS'ed again.
The best the market has to offer at the moment is tools that mitigate the attacks plus buying more bandwidth to support the attack.
Blocking IP addresses isn't a solution either because every IP address connecting to your site could be a legitimate visitor or customer.
So yeah, pretty grim situation ...
BUT you (streamer / player / tournament) are not a website, it means that not every IP address has to be able to connect to your router.
The only IP addresses you really need to allow is Twitch.tv or Owned3D.tv (streams) and Starcraft II (or whatever other game you play).
How it works :
The solution is based on two "configuration modes" your router will run on.
- The "default mode" : these are the default settings of your router.
It's what you are using now.
and
- The "restricted mode" : which will block every IP address that is not a "vital" service.
This mode will only be activated when you are streaming or playing.
The way you should use it is like this :
1) I'm browsing Internet -> "default mode"
2) I'm going to stream -> "restricted mode"
3) I stopped streaming -> back to "default mode"
By "vital service", I mean software that is in these categories :
- streaming : Twitch.tv, Owned3D.tv ...etc.
- communication : Skype, Raid Call, TeamSpeak, Ventrilo, Mumble ...etc.
- gaming : Starcraft (battle.net 2.0 in general), DotA, LoL ...etc.
- top sites : Google, Team Liquid, Reddit, Twitter, Facebook ...etc.
If a website is not in the white-list and you are in "restricted mode", you just simply won't be able to reach it !
Using a program I wrote, you can generate a range of IP addresses that you will simply copy & paste to your router.
tl:dr; So basically it's an IP address filter that uses a white-list system rather than a black-list system.
Installation :
1) - Download Node.js from nodejs.org (choose the version for your operating system).
2) - Once you downloaded the program, install it.
3) - Now download server.js from mediafire and copy the file to your desktop
4) - For Windows : + Show Spoiler +Click on "Start" and type in "cmd" + ENTER
For Ubuntu : + Show Spoiler +Click on "Dash Home" and search for "terminal"
5) - Then, in the command prompt type : "cd c:\documents and settings\<your user name here>\desktop"
6) - Now type : "node server.js"
7) - In a new browse tab navigate to : http://127.0.0.1:8080
8) - Follow the instructions on the page, submit and wait for 1 - 3 minutes
9) - Once you got redirected to the page with the white-list IP ranges, browse to http://192.168.1.1 (which is usually the address of your router)
10) - Log-in using your routers username & password. If you don't know it, try a blank username & password. Otherwise you can probably find it in the manual you got when buying the router or you can google the default username & password for your router brand / model.
11) - When you're logged-in find the menu which gives you the possibility to block a certain range of IP addresses and enter all the ranges returned by the website.
12) - Congrats ! You are now in "restricted mode".
To go back to "default mode", just remove all the IP ranges you added in step 11.
Technical details :
Since your router still has to block packets (messages) coming from banned IPs, it will still use some resources but this is nothing compared to a real DDoS where your router has to inspect the packet to verify the validity of the packet.
(valid IP packet ? valid TCP packet ? valid HTTP/s packet ? ...etc).
In addition to that, the white-list system prevents your router's packet caching window to be polluted of DDoS packets.
The program is written in Node.js (server-side JavaScript). It's async and is using non-blocking I/O.
The program is a combination of a small http server, a parser and a DNS resolver.
The program is functional but lacks in options, one of the objectives would be to add them in the future "releases".
Some more changes have to be made to speed-up the program and make it more convenient / easy to use.
In particular, one issue I have is ŵith the "add web site" (the second textarea in the html page) feature that let's people white-list some of the key website they often use.
The way this works is that the user input gets parsed, then, for each domain, it sends a DNS resolution request and waits for the answer containing the IP addresses of all the servers the sites is using.
For example :
- If you have 100 websites you want to white-list, the program, since it's async will send instantly 100 DNS requests without waiting for the answer to the previous one.
What happens is that after +/- 20 concurrent requests (on my linux) the next DNS requests will fail, probably because the network card / DNS server is overloaded.
In the end, the best way would be to have a file (like a DNS table) that feeds the program all the IP ranges the websites operate on. If you want to know more about this read the "Contribution" section.
If you are a using an external DNS server (like Google DNS or OpenDNS), you might want to add these IP addresses too.
It might not be necessary since the program already does the DNS requests one time, the next time they should be cached, but you never know.
One feature I wanted to add is an auto-configuration of the router like this :
- the user inputs his routers username & password
- the program ssh's the router
- and changes the config files
Sadly almost every router is different making it impossible to code.
I didn't test cross OS compatibility yet.
On the To Do list theres is :
- Skype support. I'm not really sure what the best way is to achieve this.
I'm probably going to write a function that will parse netstat results.
If you have a better idea, don't hesitate to PM me !
- Winrar the Node.js executable, the scripts and a batch file as a launcher that will run in the temp file so that people don't have to install Node.js.
Contribution :
If you want to contribute to the project, you could help me get these informations so that I can add support for as much programs and website as possible.
I made a quick list of information that could help me add more options.
A list of all the domain names or server IP addresses of :
- Owned3D.tv
- Raid Call
- Battle.net 2.0
- DotA
- LoL
To make the DNS request I'm using a CSV file (Coma Separated Values) of the top 500 domains that gets pared by a Node.js script. I wasn't able yet to generate a table with all the IP addresses due to the restriction to the number of requests the program can do. (For more information read the "Technical details" part).
Here is the CSV and the script in question :
- Parser & DNS resolver : click here to download
- CSV data used : click here to download
Ideally, the goal would be to have a file containing the IP addresses of the top 1000 Alexa websites to make the white-list more practical.
Conclusion :
This is far from being a miracle solution to DDoS !
You have to take in account that you only have to use the program in "emergency" cases.
Especially for tournaments who have large networks they have to rely on and where : "no lag in game / on the stream" >>> "being able to browse every website there is on the Internet".
And as data gets added, more websites will be supported making the program a lot more convenient to use !
I hope that this program will be helpful to the most people possible !
If you have questions or need more details PM me or simply post in this thread ! ^^
EDIT : Here is a link with more advice to mitigate DDoS effects : http://www.leaguepedia.com
-- LunaSea
PS : Sorry for the wall of text and the lack of English vocabulary ! :D
|
wow, nice work. Seems like this could help a lot of people out.
|
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do).
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers).
|
this is a great post, keep it bummed
|
On September 04 2012 05:07 Pumplekin wrote:
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address.
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff.
I'm sorry but you are plainly wrong.
Two points I want to make :
1) When we talk about "Denial of Service" attacks in eSport, it's generally kids paying renting a few computers on Internet.
2) You can send 1Gbit of garbage packets if you want, but if my router blocks your IP address I will easily survive the attack even with a home router.
3) The bottleneck is your router not what's before (your ISP's wires).
|
On September 04 2012 05:07 Pumplekin wrote:
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do).
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers).
Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it.
|
On September 04 2012 05:13 Tao367 wrote:Show nested quote +On September 04 2012 05:07 Pumplekin wrote:
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do).
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it.
There is actually a way with the netstat command.
|
|
|
If I'm wrong and this solution works, you have invented something that will make you very rich. I'd suggest you headed to the patent office right away !. I've got a lot of real life experience mitigating large scale DDoS attacks, and if what you are suggesting works, trust me, I would already be doing it.
Sadly, I am totally correct, and your method does next to nothing. Your router still has to discard the packets, which means it has to receive the packets, which means your internet pipe is being saturated to the point of being unusable.
|
I'm going to add the link to my post.
|
On September 04 2012 05:13 Tao367 wrote:Show nested quote +On September 04 2012 05:07 Pumplekin wrote:
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do).
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it.
I'm pretty sure that you know nothing and in fact you can obtain IP addresses through almost ANY program that allows you to connect to someone else. There doesn't need to be "huge" news about it because most people already know about it.
On September 04 2012 05:07 Pumplekin wrote:
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do).
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers).
His post isn't incorrect. Typically though a DDOS attack does not come from just one IP, so it would be better for someone to have access to several internet connections (high monthly bill) or to be able to switch their IP on the fly.
You can't stop people in most situations from obtaining your IP
You can't make angry kids happy as a streamer.
You can be on good terms with your ISP.
On September 04 2012 05:19 Pumplekin wrote:
If I'm wrong and this solution works, you have invented something that will make you very rich. I'd suggest you headed to the patent office right away !. I've got a lot of real life experience mitigating large scale DDoS attacks, and if what you are suggesting works, trust me, I would already be doing it.
Sadly, I am totally correct, and your method does next to nothing. Your router still has to discard the packets, which means it has to receive the packets, which means your internet pipe is being saturated to the point of being unusable.
Did you actually test the method vs a DDOS attack? I don't know how the program works, but if it were to disallow a connection the packets would be simply lost, and not received and then denied.
|
On September 04 2012 05:19 Pumplekin wrote:
If I'm wrong and this solution works, you have invented something that will make you very rich. I'd suggest you headed to the patent office right away !. I've got a lot of real life experience mitigating large scale DDoS attacks, and if what you are suggesting works, trust me, I would already be doing it.
Sadly, I am totally correct, and your method does next to nothing. Your router still has to discard the packets, which means it has to receive the packets, which means your internet pipe is being saturated to the point of being unusable.
Again, like I said in my post, yes your router has still to discard the packets but it is vastly faster than what your router usually does which is inspecting the complete packet and checking every protocol requirement and checksum.
The reason nobody does this is that it's impractical for websites because you don't know if an IP is a visitor or an attacker.
Some sites did already implement by banning IPs of whole countries (generally middle eastern countries, India, China ...etc) to prevent DDoS attack of coming from that direction.
|
A lot of the leaguepedia advice makes sense, but some of the stuff about TCPview isn't likely to be useful.
If I was DDoS'ing a typical home user, the home users PC would never see the traffic because it would be dropped by the router (for not matching any valid NAT table entries).
If you have an atypical setup (say you plug directly into a cable modem without a router), then TCPview/Wireshark and the like would be useful tools to look at the garbage being sent at you, not that it would help you do much about it).
|
On September 04 2012 05:21 NoobSkills wrote:
Did you actually test the method vs a DDOS attack? I don't know how the program works, but if it were to disallow a connection the packets would be simply lost, and not received and then denied.
No I did no test it against a DDoS attack yet.
The way the program works is the following :
- you set a number of websites / online software / individual IP addresses you want to white-list
- the program generates a bunch of IP address ranges your router should block
- you add all those ranges to the router
Now when you receive a packet, the router will check the IP address of the sender and looks if it's part of the white-list. If it's not, it will be denied connection, discarded and the packet will be lost.
|
As you say, blocking attacking addresses (or potential attacking addresses) on your CPE is likely to mean it takes less CPU cycles (assuming it is doing this in software) to decide to discard the packet, but the problem isn't the CPU on your CPE, the problem is the TX buffer at whatever you connect to at your ISP.
You still haven't explained how you solve the problem of this being full 100% of the time (and therefore it discarding packets, either by tail drop or RED or WRED or whatever strategy it uses to manage full buffers).
|
On September 04 2012 05:30 Pumplekin wrote:
A lot of the leaguepedia advice makes sense, but some of the stuff about TCPview isn't likely to be useful.
If I was DDoS'ing a typical home user, the home users PC would never see the traffic because it would be dropped by the router (for not matching any valid NAT table entries).
If you have an atypical setup (say you plug directly into a cable modem without a router), then TCPview/Wireshark and the like would be useful tools to look at the garbage being sent at you, not that it would help you do much about it).
Yes, I defiantly agree with this.
The only reason I added the link is to give people as much information on how to mitigate (not fully protect) a DDoS attack as possible.
|
On September 04 2012 05:13 LunaSea wrote:Show nested quote +On September 04 2012 05:07 Pumplekin wrote:
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address.
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff. I'm sorry but you are plainly wrong. Two points I want to make : 1) When we talk about "Denial of Service" attacks in eSport, it's generally kids paying renting a few computers on Internet. 2) You can send 1Gbit of garbage packets if you want, but if my router blocks your IP address I will easily survive the attack even with a home router. 3) The bottleneck is your router not what's before (your ISP's wires).
Im sorry but you don't know what you are talking about.
The first criticism of your suggestion was correct.
However what you said would help ... the problem though is that your connection is STILL clogged even if your network wont be.
That said some of what you said is decent security advice.
ANYONE with an up connection as large as your down can saturate your connection. Its not hard, its not clever and there is next to nothing you can do about it from behind a router.
|
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router?
That's essentially worthless - router CPUs are not overburdened during an DDoS attack.
The network resources are.
|
On September 04 2012 05:38 pmp10 wrote:
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router?
That's essentially worthless - router CPUs are not overburdened during an DDoS attack.
The network resources are.
Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets.
|
Sadly, while you are using technical words, I don't think you really know exactly what they mean.
I'd suggest stopping digging a bigger hole for yourself and be thankful TL is a relatively nice and friendly place 
|
On September 04 2012 05:41 LunaSea wrote:Show nested quote +On September 04 2012 05:38 pmp10 wrote:
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router?
That's essentially worthless - router CPUs are not overburdened during an DDoS attack.
The network resources are. Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets.
Your tcp connection (window?) will receive only what gets through the ISP/buffers ect.
So essentially not much - certainly very little of what you are hoping for.
|
On September 04 2012 05:46 Pumplekin wrote:Sadly, while you are using technical words, I don't think you really know exactly what they mean. I'd suggest stopping digging a bigger hole for yourself and be thankful TL is a relatively nice and friendly place
1) - Look at the code.
2) - Come back latter
When your best advice is : "be nice to your ISP", I don't think you can consider yourself qualified.
Nice contribution btw.
|
On September 04 2012 05:47 pmp10 wrote:Show nested quote +On September 04 2012 05:41 LunaSea wrote:On September 04 2012 05:38 pmp10 wrote:
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router?
That's essentially worthless - router CPUs are not overburdened during an DDoS attack.
The network resources are. Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets. Your tcp connection (window?) will receive only what gets through the ISP/buffers ect. So essentially not much - certainly very little of what you are hoping for.
The TCP window is a buffer.
Nice try mister professional.
And your router definetly gets A LOT of packets in a DDoS situation.
|
On September 04 2012 05:51 LunaSea wrote:Show nested quote +On September 04 2012 05:46 Pumplekin wrote:Sadly, while you are using technical words, I don't think you really know exactly what they mean. I'd suggest stopping digging a bigger hole for yourself and be thankful TL is a relatively nice and friendly place 1) - Look at the code. 2) - Come back latter When your best advice is : "be nice to your ISP", I don't think you can consider yourself qualified. Nice contribution btw.
I've seen this before in so many threads. People post long OP's about an issue and how to solve it yet when they're shot down by people with more knowledge they get very defensive.
I'm sorry but this isn't a solution to the problem, dude.
On September 04 2012 05:51 LunaSea wrote:Show nested quote +On September 04 2012 05:47 pmp10 wrote:On September 04 2012 05:41 LunaSea wrote:On September 04 2012 05:38 pmp10 wrote:
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router?
That's essentially worthless - router CPUs are not overburdened during an DDoS attack.
The network resources are. Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets. Your tcp connection (window?) will receive only what gets through the ISP/buffers ect. So essentially not much - certainly very little of what you are hoping for. The TCP window is a buffer. Nice try mister professional. And your router definetly gets A LOT of packets in a DDoS situation.
He's talking about the transmit buffers on network equipment, not TCP bufffers. Your TCP window won't even get much of anything as equipment ISP side will drop packets before they even reach the router.
|
I don't really get the point of this solution, any normal "home" router will block wan requests by default. All you do is setup a whitelist so all other requests are discarded. ...correct?
You say normally the router will inspect the complete packet and test against any protocol but there is no point in that. (and no router does that <.<) Unless you started the session the firewall should just bock the packet, so you won't need to do more than to check the session table.
tl;dr spi?
|
Not really sure how this helps the actual problem...
|
On September 04 2012 05:56 Nightwatch wrote:
I don't really get the point of this solution, any normal "home" router will block wan requests by default. All you do is setup a whitelist so all other requests are discarded. ...correct?
You say normally the router will inspect the complete packet and test against any protocol but there is no point in that. (and no router does that <.<) Unless you started the session the firewall should just bock the packet, so you won't need to do more than to check the session table.
tl;dr; spi?
Yup, it won't be in the NAT table, so it will go in the bin by default. ACL'ing it MAY save a tiny bit of CPU (it might not, it depends on how the CPE is designed).
If you are talking IPv6, or a non-NAT'ing connection, things would be different, but I think we can safely assume almost everyone is using IPv4 and NAT on the CPE (and mostly I have been in this thread).
I'm also starting to suspect this may be a massive troll thread. At least I'm hoping it is
|
On September 04 2012 05:56 Nightwatch wrote:
I don't really get the point of this solution, any normal "home" router will block wan requests by default. All you do is setup a whitelist so all other requests are discarded. ...correct?
You say normally the router will inspect the complete packet and test against any protocol but there is no point in that. (and no router does that <.<) Unless you started the session the firewall should just bock the packet, so you won't need to do more than to check the session table.
tl;dr; spi?
Yes, but how does the firewall know if this packet isn't starting a session ?
The router has to look at the packet and see if this is a valid packet that is actually starting a session in one of the supported protocols.
|
On September 04 2012 05:51 LunaSea wrote:Show nested quote +On September 04 2012 05:47 pmp10 wrote:On September 04 2012 05:41 LunaSea wrote:On September 04 2012 05:38 pmp10 wrote:
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router?
That's essentially worthless - router CPUs are not overburdened during an DDoS attack.
The network resources are. Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets. Your tcp connection (window?) will receive only what gets through the ISP/buffers ect. So essentially not much - certainly very little of what you are hoping for. The TCP window is a buffer. Nice try mister professional.
Pretty sure it isn't.
Last I recall buffer was a kind of a memory while a window a part of TCP packet but maybe things have changed.
|
On September 04 2012 06:01 LunaSea wrote:Show nested quote +On September 04 2012 05:56 Nightwatch wrote:
I don't really get the point of this solution, any normal "home" router will block wan requests by default. All you do is setup a whitelist so all other requests are discarded. ...correct?
You say normally the router will inspect the complete packet and test against any protocol but there is no point in that. (and no router does that <.<) Unless you started the session the firewall should just bock the packet, so you won't need to do more than to check the session table.
tl;dr; spi? Yes, but how does the firewall know if this packet isn't starting a session ? The router has to look at the packet and see if this is a valid packet that is actually starting a session in one of the supported protocols.
Simple, you don't start a new session from outside of the network.
|
By default (without any port forwarding, DMZ setup, or UPNP or anything like that), a typical home CPE will not allow anything to setup an inbound connection. It will simply look at the NAT table, check if an entry matches, if it does it will NAT and forward it, if it doesn't, it will discard it. Port Forwarding, DMZ's + UPNP basically are just other methods of setting up NAT rules.
Still, your ISP's access kit has a full TX buffer, and you still haven't fixed that.
|
On September 04 2012 06:06 pmp10 wrote:+ Show Spoiler +On September 04 2012 05:51 LunaSea wrote:Show nested quote +On September 04 2012 05:47 pmp10 wrote:On September 04 2012 05:41 LunaSea wrote:On September 04 2012 05:38 pmp10 wrote:
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router?
That's essentially worthless - router CPUs are not overburdened during an DDoS attack.
The network resources are. Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets. Your tcp connection (window?) will receive only what gets through the ISP/buffers ect. So essentially not much - certainly very little of what you are hoping for. The TCP window is a buffer. Nice try mister professional. Pretty sure it isn't. Last I recall buffer was a kind of a memory while a window a part of TCP packet but maybe things have changed.
The simplest way of considering the window size is that it indicates the size of the device's receive buffer for the particular connection.
-- http://www.tcpipguide.com/free/t_TCPWindowSizeAdjustmentandFlowControl.htm
plz ...
|
I think the arguments may be easily settled if somebody would run a test.
|
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data?
|
On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data?
Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid.
|
Sorry to say it this staight, but what the OP says is definitely wrong to a large degree. There's no way you can defend against DDoS by filtering packets on your router. The network bandwidth will still be blocked no matter if you filter or not, it makes almost no difference. The only thing that saves you is hiding your IP address.
|
TCP windowing is part of how TCP does flow control. You can find plenty of good guides to it on the internet, and this is reasonable starting point (http://packetlife.net/blog/2010/aug/4/tcp-windows-and-window-scaling/).
There is quite a lot to know about TCP really, I'm far from an expert in the real ins and outs of it, it is a surprisingly deep topic for something that mostly "just works" (although I'm more than happy to answer any questions up to my knowledge level).
|
On September 04 2012 06:15 LunaSea wrote:Show nested quote +On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid.
Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem).
Maybe I am missing something...
|
On September 04 2012 06:17 trGKakarot wrote:Show nested quote +On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something...
Yes but what I meant is this :
A --> sends a packet to B --> who forwards it to C
Where :
A is the attacker,
B your ISP,
and C is you.
A is the one the packets originate from and B only forwards it to the destination indicated in the packet.
|
On September 04 2012 06:10 LunaSea wrote:Show nested quote +On September 04 2012 06:06 pmp10 wrote:+ Show Spoiler +On September 04 2012 05:51 LunaSea wrote:Show nested quote +On September 04 2012 05:47 pmp10 wrote:On September 04 2012 05:41 LunaSea wrote:On September 04 2012 05:38 pmp10 wrote:
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router?
That's essentially worthless - router CPUs are not overburdened during an DDoS attack.
The network resources are. Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets. Your tcp connection (window?) will receive only what gets through the ISP/buffers ect. So essentially not much - certainly very little of what you are hoping for. The TCP window is a buffer. Nice try mister professional. Pretty sure it isn't. Last I recall buffer was a kind of a memory while a window a part of TCP packet but maybe things have changed. Show nested quote +The simplest way of considering the window size is that it indicates the size of the device's receive buffer for the particular connection. -- http://www.tcpipguide.com/free/t_TCPWindowSizeAdjustmentandFlowControl.htmplz ...
Please look up those terms somewhere more reputable,
Gross oversimplification and completely mismatched definitions won't help your education.
Buffer is about as much a TCP window as operating system is a RAM.
TCP window can set buffer size but they are completely different things.
|
On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet.
Why would that matter at all?
The thing is simply that some host in the internet bombs your IP with packets, and your ISP will forward all these packets until they reach your router. You are free to drop them at the router level, but the bottleneck is between you and your ISP. Filtering at the router has no effect whatsoever in the scenario of a (D)DoS as the bottleneck will also be choked no matter what you filter at the router.
|
On September 04 2012 05:13 Tao367 wrote:Show nested quote +On September 04 2012 05:07 Pumplekin wrote:
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do).
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it.
Skype etc. is actually THE way that people gather IP adresses, and it's not news, most people have known it for many years now, nothing new... if just all providers would provide static IP adresses there wouldn't be any issues )
Edit: dynamic, not static
|
On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet.
Right, but B cannot send an unlimited amount of data to C, so if A floods B with 1,000,000 packets to go to C then the other data which B was going send to C might not get sent.
So doing something at the C end doesn't seem like it would help ... right?
|
On September 04 2012 06:28 Cinim wrote:Show nested quote +On September 04 2012 05:13 Tao367 wrote:On September 04 2012 05:07 Pumplekin wrote:
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do).
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it. Skype etc. is actually THE way that people gather IP adresses, and it's not news, most people have known it for many years now, nothing new... if just all providers would provide static IP adresses there wouldn't be any issues )
You mean dynamic IP addresses? If all providers used static IPs then this would actually suck pretty hard in terms of DDoS, since if your IP only leaks one single time then you can theoretically be flooded forever.
|
On September 04 2012 06:28 pmp10 wrote:+ Show Spoiler +On September 04 2012 06:10 LunaSea wrote:Show nested quote +On September 04 2012 06:06 pmp10 wrote:+ Show Spoiler +On September 04 2012 05:51 LunaSea wrote:Show nested quote +On September 04 2012 05:47 pmp10 wrote:On September 04 2012 05:41 LunaSea wrote:On September 04 2012 05:38 pmp10 wrote:
Wait - so all you did was make a switch to a white-list ACL to save CPU cycles of a router?
That's essentially worthless - router CPUs are not overburdened during an DDoS attack.
The network resources are. Yes that's why you have a white-list, so that your tcp window won't be full of corrupted packets. Your tcp connection (window?) will receive only what gets through the ISP/buffers ect. So essentially not much - certainly very little of what you are hoping for. The TCP window is a buffer. Nice try mister professional. Pretty sure it isn't. Last I recall buffer was a kind of a memory while a window a part of TCP packet but maybe things have changed. Show nested quote +The simplest way of considering the window size is that it indicates the size of the device's receive buffer for the particular connection. -- http://www.tcpipguide.com/free/t_TCPWindowSizeAdjustmentandFlowControl.htmplz ... Please look up those terms somewhere more reputable, Gross oversimplification and completely mismatched definitions won't help your education. Buffer is about as much a TCP window as operating system is a RAM. TCP window can set buffer size but they are completely different things.
I did projects around sequence number guessing exploits using window size and OS window scaling.
I think I know more on that subject that what you can grasp.
|
Okay, almost sick of this now, but let us just imagine this situation.
A is me, I'm the attacker. Lets imagine I run, from a host with a 1gbit/s internet connection a udp flood attack, which just generates a bunch of random UDP packets (all from the same, non-spoofed) address, and sends them to your public IPv4 address.
B is your ISP, and you have a 10mbit/s connection to your ISP. Lets assume otherwise your ISP is amazing and has multiple 10gbit/s links everywhere, and can easily carry the 1gbit/s all the way down to your DSLAM or BRAS or whatever it is that your access circuit is connected to. Lets further define B as this BRAS or DSLAM. Lets also just assume you are using DSL and a DSLAM to make this easy to talk about.
C is your router.
I start the attack, and the first UDP packet arrives B. It delivers it down your DSL line. Because my 1gbit/s is 100 times faster than your 10mbit/s connection, while that packet was being delivered down the DSL line, 99 more packets arrived at B, which put them into a buffer.
Then the 2nd of my attack packets is played out the DSL line, and while that is going, 99 more packets arrive. You now have 198 packets in B's buffer. We repeat for the 3rd packet, and you now have 297 packets in B's buffer. This continues until B's buffer is full or filling. What happens then depends on the buffer management strategy in B, which may be tail-drop, it may be RED or WRED or some other congestion control mechanism, but at the end of the day, all these different strategies are is different ways to decide what to throw away when your buffers are full.
Now with this attack going, something legit tries to send you a packet (say it is the SYN+ACK to the web request you just made to teamliquid.net). Unless that packet arrives at JUST the right time at B, it is going to be discarded. Even if it DOES arrive at just the right time, the odds of the NEXT packet (the first of the HTTP payload) also arriving at JUST the right time is super slim. Effectively you are trying to use an internet connection with 99% packet loss, and that just is never going to work well at all.
|
|
|
On September 04 2012 06:34 .syd. wrote:Show nested quote +On September 04 2012 06:28 Cinim wrote:On September 04 2012 05:13 Tao367 wrote:On September 04 2012 05:07 Pumplekin wrote:
I'm not meaning to be offensive here, but the vast majority of this advice is just straight up wrong to the point it isn't worth reading.
Blocking a denial of service attack on a home based router is going to do nothing, the problem is the buffer in whatever access device lives at your ISP. If you have 10mbit downstream at home and you want to use it all, and I'm throwing 1gbit of garbage at your IP address, only around 1 in 100 of your legitimate packets is going to make it, the rest are going to be discarded before they even get to your home router, so no matter what filtering you apply on it, it isn't going to help you.
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do).
2.) Don't anger the internet bad guys (yeah, sometimes that is just impossible).
3.) Be very friendly with your ISP support staff (as the standard ISP response to a major DDoS is going to be to null route at the ISP's borders to protect other customers). Pretty sure there is no way to discover ip's through skype/other IM services, if there was there would be huge news about it. Skype etc. is actually THE way that people gather IP adresses, and it's not news, most people have known it for many years now, nothing new... if just all providers would provide static IP adresses there wouldn't be any issues ) You mean dynamic IP addresses? If all providers used static IPs then this would actually suck pretty hard in terms of DDoS, since if your IP only leaks one single time then you can theoretically be flooded forever.
Yes, I meant dynamic xD static is ofc the opposite of what you would want
|
On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...]
Yes, they can actually.
B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle.
|
On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle.
You don't pay for that much bandwidth, therefore you will not be sent that much data.
You seem to be mixing what is theoretically possible, and what is actually implemented.
|
On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented.
There is no theory.
If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion and packets will be dropped by the ISP.
|
I had no idea we had so many network engineers on this website. Jesus christ so many convincing arguments from so many people..
|
On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion.
... which is the purpose of a DDoS attack
|
@Luna: Your clarification on page 2 yourself should have made what Pimp, trG etc are trying to say clear. They're pretty much saying the path to your router gets shited up by a DDoS and nothing you do on your side will increase the ize of your allocated bandwidth path so thus blocking on your final end is indeed quite useless.
And No ISPS will not simply increase your bandwidth so they can suddenly account for your burst of incomming data. Itll get clogged and wait till you yourself deny it on your end.
|
On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion.
This will make you receive packets with significant delay, which at a certain point makes you're service ... denied.
|
On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle.
I want that kind of connection. A gigabit+ download bandwidth all to myself?
You do realize that the ISP has to police your bandwidth somehow, else they would have to supply a fiber connection to every customer.
|
Please everyone, no one here seems to know at all what they are talking about, especially this Pumplekin guy, no offense but you're not really anything close to and expert.
He never said this was a perfect solution, especially because you have to block off connection to mostly every server out there, so this is a solution that only works in very very rare occasions.
You guys are going on about how big this would be IF it worked, but if it does work, the fact that it's a whitelist as he say and not a blacklist, is exactly why this isn't a great solution, unless you are in the unique situation that it is neccesary.
I suggest that people do 1 simple thing: actually test it out, someone stream, someone intentionally try and DDoS him, and see if it works, rather than argueing constantly for no reason. Everyone who worked with tech will know that nothing is ever certain when it's just theory.
|
On September 04 2012 06:45 Cinim wrote:
Please everyone, no one here seems to know at all what they are talking about, especially this Pumplekin guy, no offense but you're not really anything close to and expert.
He never said this was a perfect solution, especially because you have to block off connection to mostly every server out there, so this is a solution that only works in very very rare occasions.
You guys are going on about how big this would be IF it worked, but if it does work, the fact that it's a whitelist as he say and not a blacklist, is exactly why this isn't a great solution, unless you are in the unique situation that it is neccesary.
I suggest that people do 1 simple thing: actually test it out, someone stream, someone intentionally try and DDoS him, and see if it works, rather than argueing constantly for no reason. Everyone who worked with tech will know that nothing is ever certain when it's just theory.
The "Pumplekin guy" does know what he's saying. And i know a fair bit about it too as i have a degree in network engineering.
|
On September 04 2012 06:44 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion. This will make you receive packets with significant delay, which at a certain point makes you're service ... denied.
Which is the definition of a DDoS. Thank you but I wrote the definition in the OP.
Next time read the thread before plz.
|
On September 04 2012 06:44 karpo wrote:Show nested quote +On September 04 2012 06:37 LunaSea wrote:On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. I want that kind of connection. A gigabit+ download bandwidth all to myself? You do realize that the ISP has to police your bandwidth somehow, else they would have to supply a fiber connection to every customer.
Move to Lund ^^
http://labs2.com/brikks/kundreferenser/gigabit-i-lund
|
On September 04 2012 06:47 LunaSea wrote:Show nested quote +On September 04 2012 06:44 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion. This will make you receive packets with significant delay, which at a certain point makes you're service ... denied. Which is the definition of a DDoS. Thank you but I wrote the definition in the OP. Next time read the thread before plz.
I feel like I just walked you through to understand how your system still doesn't work, and then you ignore that fact and tell me how it is the definition of a DDoS.
For the record I have a MS in Computer Science (granted my graduate research wasn't focused on network systems, but I feel like I have a reasonable grasp on this topic).
|
If a typical home user at an ISP gets DDoS'd, this is what is likely to happen (will vary a little with different ISP's).
1.) The ISP will push a /32 route to blackhole the traffic into the ISP's IGP, which will cause any of the ISP's routers that gets traffic destined for your address to throw it away straight away. This means the peering/transit routers at the ISP will discard it as soon as possible. It is possible if the attack is large and the ISP is small that even this won't be enough and the entire ISP's service will be degraded.
2.) They will arrange with upstream ISP's (certainly transit providers, and possible some peers if they see lots of attack traffic from that peer for them to blackhole this traffic at source). Sometimes this is an ISP's NOC calling another ISP's NOC, and sometimes this is with automated methods like announcing a /32 to them over BGP tagged with a special "discard" extended community.
Whatever happens, unless your ISP loves you, or you pay them a lot more than a typical home user, they are going to disconnect you until the attack stops.
|
On September 04 2012 06:11 Hryul wrote:
I think the arguments may be easily settled if somebody would run a test.
Yup, what he said. I have absolutely no idea which side is correct, but the simplest way to resolve this is to test whether it can block a simple DDoS attack. It doesn't have to be a huge elaborate setup to block an attack by dedicated hackers (from thousands of IP addresses), just sufficient to stop angry little kids with a bit of cash.
I dunno if this is feasible, but if you can trace which IP addresses are bombarding you, you can try to send that to the ISPs/police. If that fails, go to 4chan.
|
On September 04 2012 06:50 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:47 LunaSea wrote:Show nested quote +On September 04 2012 06:44 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion. This will make you receive packets with significant delay, which at a certain point makes you're service ... denied. Which is the definition of a DDoS. Thank you but I wrote the definition in the OP. Next time read the thread before plz. I feel like I just walked you through to understand how your system still doesn't work, and then you ignore that fact and tell me how it is the definition of a DDoS. For the record I have a MS in Computer Science (granted my graduate research wasn't focused on network systems, but I feel like I have a reasonable grasp on this topic).
It's funny that you say that I was under the impression that I was explaining DDoS to someone who was oblivious to networking.
|
On September 04 2012 06:52 LunaSea wrote:Show nested quote +On September 04 2012 06:50 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:47 LunaSea wrote:Show nested quote +On September 04 2012 06:44 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:42 LunaSea wrote:Show nested quote +On September 04 2012 06:40 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:37 LunaSea wrote:Show nested quote +On September 04 2012 06:29 trGKakarot wrote:+ Show Spoiler +On September 04 2012 06:25 LunaSea wrote:Show nested quote +On September 04 2012 06:17 trGKakarot wrote:On September 04 2012 06:15 LunaSea wrote:On September 04 2012 06:13 trGKakarot wrote:
I will admit I only skimmed this thread (since it seems like if somebody solved DDoS attacks they would be getting a lot more traction than a random thread on TL), but from what I gather the OP is assuming that an ISP will send an infinite amount of data to your router and filtering out bad IP addresses at your router level will solve the problem since then you only accept "x" amount of data? Yes, except it's not your ISP sending the data originally, but a bunch of hacked computers rented by a random kid. Right, but you are only connected to the outside world through your ISP (unless they are somehow on your intranet, which means you have a bigger problem). Maybe I am missing something... Yes but what I meant is this : A --> sends a packet to B --> who forwards it to C Where : A is the attacker, B your ISP, and C is you. A is the one the packets originate from and B only forwards it to the destination indicated in the packet. Right, but B cannot send an unlimited amount of data to C [...] Yes, they can actually. B is an ISP and has bandwidth that is magnitude higher than what a personal connection can handle. You don't pay for that much bandwidth, therefore you will not be sent that much data. You seem to be mixing what is theoretically possible, and what is actually implemented. There is no theory. If someone send you 1Gbit of data on your 10Mbit connection you will receive them is will just create a huge congestion. This will make you receive packets with significant delay, which at a certain point makes you're service ... denied. Which is the definition of a DDoS. Thank you but I wrote the definition in the OP. Next time read the thread before plz. I feel like I just walked you through to understand how your system still doesn't work, and then you ignore that fact and tell me how it is the definition of a DDoS. For the record I have a MS in Computer Science (granted my graduate research wasn't focused on network systems, but I feel like I have a reasonable grasp on this topic). It's funny that you say that I was under the impression that I was explaining DDoS to someone who was oblivious to networking.
He wasn't asking for an explanation. He was questioning your reasoning. It seems quite clear to me and several others in this thread.
|
If anyone is going to test this in practice
1.) Make sure you have a sufficiently large source of DoS traffic to actually make a difference.
2.) Get permission of the ISP you are DoS'ing before you do it.
I can go throw a few tens of gigabits around, but you know, I'm responsible and stuff
|
On September 04 2012 06:45 Cinim wrote:
Please everyone, no one here seems to know at all what they are talking about, especially this Pumplekin guy, no offense but you're not really anything close to and expert.
He never said this was a perfect solution, especially because you have to block off connection to mostly every server out there, so this is a solution that only works in very very rare occasions.
You guys are going on about how big this would be IF it worked, but if it does work, the fact that it's a whitelist as he say and not a blacklist, is exactly why this isn't a great solution, unless you are in the unique situation that it is neccesary.
I suggest that people do 1 simple thing: actually test it out, someone stream, someone intentionally try and DDoS him, and see if it works, rather than argueing constantly for no reason. Everyone who worked with tech will know that nothing is ever certain when it's just theory. What they are saying is that when what is supposedly choked is not your home router to begin with, home router settings doesn't matter.
I'm not a network guy so I don't quite understand how for example 10 megabit per second of random data would choke a 100+ Mbps router, perhaps the OP can explain?
edit
Another question for the OP from a non network guy like me:
Maximum incoming data bandwidth from my ISP to my home router is a just a bit over 200 Mbps. If my IP is being sent say 5 Gbps of random data from a DDoS attacker, how will your home router filtering fix make it so incoming data that is not from the DDoS attacker reaches my router?
|
Actually if you own a website you can protect it from DDos attack, but you have to get webhosting from a specific hosting company that specializes in protecting dating and hack prevention, such as Ddos protected servers and or webhosting. Pricing often depends on bandwidth that you intend on using. Some plans that I have seen easily tack on $150-$350 dollars per year just for the Ddos pretection side of the service.
But just search "Ddos protected server hosting" in Google.com and you will find lots of companies.
Some of the companies have impressive measures for dealing with this issue. However protecting your own IP from Ddos requires changes that the OP has recommended.
|
On September 04 2012 06:54 Akta wrote:Show nested quote +On September 04 2012 06:45 Cinim wrote:
Please everyone, no one here seems to know at all what they are talking about, especially this Pumplekin guy, no offense but you're not really anything close to and expert.
He never said this was a perfect solution, especially because you have to block off connection to mostly every server out there, so this is a solution that only works in very very rare occasions.
You guys are going on about how big this would be IF it worked, but if it does work, the fact that it's a whitelist as he say and not a blacklist, is exactly why this isn't a great solution, unless you are in the unique situation that it is neccesary.
I suggest that people do 1 simple thing: actually test it out, someone stream, someone intentionally try and DDoS him, and see if it works, rather than argueing constantly for no reason. Everyone who worked with tech will know that nothing is ever certain when it's just theory. What they are saying is that when what is supposedly choked is not your home router to begin with, home router settings doesn't matter. I'm not a network guy so I don't quite understand how for example 10 megabit per second of random data would choke a 100+ Mbps router, perhaps the OP can explain? edit Another question for the OP from a non network guy like me: Maximum incoming data bandwidth from my ISP to my home router is a just a bit over 200 Mbps. If my IP is being sent say 5 Gbps of random data from a DDoS attacker, how will your home router filtering fix make it so incoming data that is not from the DDoS attacker reaches my router?
Router filtering won't fix anything. This is what we've been trying to explain the OP for 4 pages now...
|
Yeah, DDoS protection is a specialist service, and it certainly isn't something you are going to get on a typical home user internet connection. It is part science and part art, and at the end of the day, if you the attacker has a big enough botnet, it may well not be enough.
You can also outsource DDoS mitigation to someone like Prolexic, who have a bunch of options for DDoS mitigation, none of which are likely to be useful to a typical home streamer (but WILL be useful to someone with a real internet connection and some money, and a real loss to be measured if they are being DDoS'd).
If someone sold a DDoS protected VPN service (that wasn't a joke), and you were happy to always use the VPN, this might be a useful product. Remember though you get what you pay for, and someone thats going to do a good job against a real attack isn't likely to be cheap (I've no idea what sized attacks are hitting streamers).
|
On September 04 2012 06:43 Senx wrote:
I had no idea we had so many network engineers on this website. Jesus christ so many convincing arguments from so many people..
To be fair, within the confines of the thread the OP has made a example situation, posters like pimple kin have replied with what would happen, and then he affirmed that would happen but still doesn't agree. Perhaps it's the bad English but this seems pretty black and white.
The DDoS doesn't work on your router, it works on your ISP feeding to your router. So if the DDoS is 1Gb, and you have less than that received from your ISP, the data will be discarded and you will only receive whatever your ISP is paid to give you. So, none of this can be solved by whitelisting because the problem isn't at the router.
|
if somebody DDoS my DSL connection, changing my home router settings would not magically turn my phone wires into fiber
|
Maybe someone should draw a picture. I find pictures often do help when words seem to fail to reach their target. Maybe something nice with cars and a road maybe, just something that connects on a more basic understanding.
|
This is no solution, and it does not need to be tested because the concept itself is fundamentally flawed.
edit: came off a bit dickier than I intended.
|
On September 04 2012 07:46 maoiste wrote:
Maybe someone should draw a picture. I find pictures often do help when words seem to fail to reach their target. Maybe something nice with cars and a road maybe, just something that connects on a more basic understanding. If I got some technical detail wrong someone will hopefully correct me.
edit
couple of clarifications
![[image loading]](http://i.imgur.com/WwywX.png)
|
On September 04 2012 08:26 Akta wrote:Show nested quote +On September 04 2012 07:46 maoiste wrote:
Maybe someone should draw a picture. I find pictures often do help when words seem to fail to reach their target. Maybe something nice with cars and a road maybe, just something that connects on a more basic understanding. If I got some technical detail wrong someone will hopefully correct me. ![[image loading]](http://i.imgur.com/wop6L.png)
All wrong.
The internet is NOT a big truck; it's a series of tubes.
|
Is there any reason (legal?) Twitch doesnt offer VPN Accounts for their Premium Streamers? They already got the bandwith to dwarf most attacks. And people might be less inclined to fuck with a company.
|
On September 04 2012 08:26 Akta wrote:Show nested quote +On September 04 2012 07:46 maoiste wrote:
Maybe someone should draw a picture. I find pictures often do help when words seem to fail to reach their target. Maybe something nice with cars and a road maybe, just something that connects on a more basic understanding. If I got some technical detail wrong someone will hopefully correct me. ![[image loading]](http://i.imgur.com/Joy2t.png)
there should not be a car accident blocking the road
|
i know nothing about DDoS, but pumplekin's posts have the best grammar, so i guess he's right.
-_-
|
|
|
It probably wouldn't take much bandwith to take down the proxy and with it dies his Skype connection. The only thing it shows is that the attacks are most likely tiny (if they are still happening).
Through means of elimination i could also most likely obtain his IP address, the only thing i would need is the city he resides in plus which sites/threads he visits, you could upload an image to a thread on site-x/thread-y he visits and collect all IP's matching a certain vicinity. If he is really stupid you could just send him a pm. The attacker already knows the ISP he uses (from the last attack), so the list of possibles i assume would be quite small. Plus you will be able to see on his stream which IP belongs to him, or rather not see i suppose.
What i am trying to say is that there are always ways if you are determined and i believe Destiny angered motivated quite a lot of people.
|
LunaSea helps for two possible bottlenecks:
- Router CPU capacity
- Network traffic between router and your PC
However, it does nothing to help against this problem:
![[image loading]](http://img222.imageshack.us/img222/1967/ddospaint.png)
|
^
That is an amazing illustration.
I should try to clarify the arguments of both parties..
From what I understand, there are two bottlenecks. The first is from your ISP to your router, and the second is the ability of your router to process incoming packets. The OP is arguing that bottleneck 1 is large enough to allow small-scale DDoS attacks through but the attack jams up bottleneck 2. The other party is arguing that the attack clogs up bottleneck 1. But which is true? How large are the DDoS attacks made by little kids with their parents' credit cards? How much data do these attacks send? Anyone knows the details of these attacks?
I hope you guys understand what I'm saying.
|
On September 04 2012 09:16 icydergosu wrote:It probably wouldn't take much bandwith to take down the proxy and with it dies his Skype connection. The only thing it shows is that the attacks are most likely tiny (if they are still happening). Through means of elimination i could also most likely obtain his IP address, the only thing i would need is the city he resides in plus which sites/threads he visits, you could upload an image to a thread on site-x/thread-y he visits and collect all IP's matching a certain vicinity. If he is really stupid you could just send him a pm. The attacker already knows the ISP he uses (from the last attack), so the list of possibles i assume would be quite small. Plus you will be able to see on his stream which IP belongs to him, or rather not see i suppose. What i am trying to say is that there are always ways if you are determined and i believe Destiny angered motivated quite a lot of people.
The people who pay for bots to DDOS people don't know how to do what you mentioned above. And even if they do/did and wanted to spend the time to do so, they would only obtain his proxy and not his actual IP, in which case he would change the proxy. My guess is that he also uses whitecap or SocksProx for his browser as well, so again you're only getting his proxy. I don't think you could tell based off his stream his IP or proxy. Either way this is just a deterrent and an effective one at that.
|
Wow you people. OP, try actually justifying why you think you are right instead of being so cocky and militantly wrong. Especially when you don't recognize that the origin of a packet has no relevance. When we say "sent by your ISP", it means "forwarded by your ISP", there is no difference. The internet works by packet forwarding from one address to the next until the packet gets to its destination. Also I must say "lol" at the people saying "go test it!". Yeah go commit a serious crime just so you can test something that you can easily figure out otherwise. Personally I never really thought about where the bottleneck would be in a DDoS, but just thinking about it for 5 seconds it seems obvious the bottleneck would be BEFORE the packets even got to your router. If a DDoS was done by exploiting a bottleneck at your home router, then that means your ISP would have to be sending you data at a bitrate far higher than is typically allotted for a home internet connection. This is obviously not true, so you can deduce pretty easily that nothing you can do to your home router will likely be able to help you avoid a DDoS.
edit: Also I forgot to mention that you people who actually understand this stuff shouldn't put the "wrong" people down so much. Just because they've made some incorrect inferences doesn't warrant an "OMG you obviously know NOTHING ABOUT NETWORKING GARRRRRR". A lot of people in the thread obviously know something, but some are lacking some understanding somewhere that makes them not see why they wrong. The fact that OP is so cocky in his wrongness is annoying though.
|
|
|
The OP is clueless about networking, Pumplekin has his facts straight. There isn't really much that you can do.
The typical solo player on a limited budget should just reboot their router to hopefully get a new IP from their ISP, close every non-essential networking app on their PC so that they don't leak the new IP, and prey that the attack isn't big enough to affect the whole ISP (it most likely isn't).
EG house already took the first step that any team house should do by having multiple internet connections but afaict they haven't made it easy to switch between the connections when one is hammered.
LAN tournaments can't do much about it unless they want to block everything except the games being played to try to prevent their public IP from being found out.
Any of them could also use a linux router (even consumer grade wifi routers with a 3rd party firmware) to do policy based routing so that only approved services that won't leak the public IP would be sent over one connection and everything else would be sent over another connection (could be a VPN or another real connection). However, this is complicated to set up and maintain so I don't actually expect anyone to really do it, not even LAN's.
|
On September 04 2012 09:36 NoobSkills wrote:Show nested quote +On September 04 2012 09:16 icydergosu wrote:It probably wouldn't take much bandwith to take down the proxy and with it dies his Skype connection. The only thing it shows is that the attacks are most likely tiny (if they are still happening). Through means of elimination i could also most likely obtain his IP address, the only thing i would need is the city he resides in plus which sites/threads he visits, you could upload an image to a thread on site-x/thread-y he visits and collect all IP's matching a certain vicinity. If he is really stupid you could just send him a pm. The attacker already knows the ISP he uses (from the last attack), so the list of possibles i assume would be quite small. Plus you will be able to see on his stream which IP belongs to him, or rather not see i suppose. What i am trying to say is that there are always ways if you are determined and i believe Destiny angered motivated quite a lot of people. The people who pay for bots to DDOS people don't know how to do what you mentioned above. And even if they do/did and wanted to spend the time to do so, they would only obtain his proxy and not his actual IP, in which case he would change the proxy. My guess is that he also uses whitecap or SocksProx for his browser as well, so again you're only getting his proxy. I don't think you could tell based off his stream his IP or proxy. Either way this is just a deterrent and an effective one at that.
Assume we got his proxy's IP from Skype. Then we take down his 5$ server from a shitty reseller. At this point he is already annoyed and can't use Skype anymore. If he gets another proxy (which would be pointless if he doesn't spend a lot of money) you could just repeat the procedure. Regarding seeing his IP (at this point i assume he doesnt use his cheap server anymore because it's pointless), i will see the effect the attack has on the list of possible Destiny IP's on his stream (=no stream).
What phuzi0n describes could be easily setup using zeroshell.
http://www.zeroshell.net/
|
On September 04 2012 09:24 CheeseSucker wrote:LunaSea helps for two possible bottlenecks: - Router CPU capacity - Network traffic between router and your PC However, it does nothing to help against this problem: Even though it appears to lack car anologies I like the illustration. Did you make it in mspaint?
|
Yep, no need to use anything more advanced than mspaint =) If it makes you feel better, you can think of the drops as very small cars.
I prefer to see it as a sewage system.
|
On September 04 2012 09:16 icydergosu wrote:It probably wouldn't take much bandwith to take down the proxy and with it dies his Skype connection. The only thing it shows is that the attacks are most likely tiny (if they are still happening). Through means of elimination i could also most likely obtain his IP address, the only thing i would need is the city he resides in plus which sites/threads he visits, you could upload an image to a thread on site-x/thread-y he visits and collect all IP's matching a certain vicinity. If he is really stupid you could just send him a pm. The attacker already knows the ISP he uses (from the last attack), so the list of possibles i assume would be quite small. Plus you will be able to see on his stream which IP belongs to him, or rather not see i suppose. What i am trying to say is that there are always ways if you are determined and i believe Destiny angered motivated quite a lot of people.
Well I don't know if he's right or not, just adding his input for whatever it's worth.
I have no idea what the fuck anyone is actually talking about in this thread. I just happened to remember this blog Destiny posted.
|
On September 04 2012 10:01 icydergosu wrote:What phuzi0n describes could be easily setup using zeroshell. http://www.zeroshell.net/
If you're referring to what I said about EG house then I would not recommend using automatic failover because then the attacker will just get all your IP's before you shut down the apps that are leaking them.
If you're referring to policy based routing then it is a completely different beast from failover or other simple forms of load balancing. First you would have to determine what is safe to let through on the clean line that won't advertise your IP to an attacker (which is not an easy task), then you need to configure the router to send those protocols/ports over the clean line (usually using CLI commands, haven't ever seen any GUI do it), then when an attack happens the services on the clean line won't be affected but everything on the dirty line will still go down.
|
Actually something I'm not sure about with regards to the DDoS is if the DoS is actually due to buffers at the ISP's routers being overwhelmed and therefore just flushed of packets, or is it because the ISP can handle the traffic fine but is conciously dropping random packets at some rate in order to throttle the bandwidth only to the destination (the streamer's IP in this case). I'm not sure of the details of how this works. If the second suggestion is true, I can see a scenario where I could see OP's solution being helpful. That is a scenario where the streamer's upstream traffic is unimpeded, there is little downstream traffic required to stream to twitch, and twitch is able to function even with having to resend data to the streamer with significant delay in response. A lot of "if"s. Would appreciate it if someone can educate me where I indicated I was unsure
edit: in case people didn't get it from my post, I still think it is very unlikely the OP's solution would help at all
|
On September 04 2012 10:23 phuzi0n wrote:If you're referring to what I said about EG house then I would not recommend using automatic failover because then the attacker will just get all your IP's before you shut down the apps that are leaking them. If you're referring to policy based routing then it is a completely different beast from failover or other simple forms of load balancing. First you would have to determine what is safe to let through on the clean line that won't advertise your IP to an attacker (which is not an easy task), then you need to configure the router to send those protocols/ports over the clean line (usually using CLI commands, haven't ever seen any GUI do it), then when an attack happens the services on the clean line won't be affected but everything on the dirty line will still go down.
Yeah if you have routing rules in place doing automatic failover would be pointless.
I think its an easy enough task to work out the (critical) routing rules, we could even provide a collective Zeroshell profile for everybody. I assume SC2 + Twitch being the most important ones?
You can do policy based routing through the GUI in zeroshell, very quickly.
|
On September 04 2012 08:50 Tayar wrote:
i know nothing about DDoS, but pumplekin's posts have the best grammar, so i guess he's right.
-_-
you made me laugh
|
The number of scriptkiddies in this thread is overwhelming
|
I did a lot of research on the subject these last hours.
And I'm sorry guys, you were right and I was wrong ... !
On the same subject, what could help streamers, players and tournaments besides zeroshell configs ?
On September 04 2012 10:48 bakarin wrote:
The number of scriptkiddies in this thread is overwhelming
Why do you say this ?
|
there's really nothing you can do except vigorously defend your ip.
|
I did a lot of research on the subject these last hours.
And I'm sorry guys, you were right and I was wrong ... !
that's impressive, good on you.
|
On September 04 2012 10:01 icydergosu wrote:Show nested quote +On September 04 2012 09:36 NoobSkills wrote:On September 04 2012 09:16 icydergosu wrote:It probably wouldn't take much bandwith to take down the proxy and with it dies his Skype connection. The only thing it shows is that the attacks are most likely tiny (if they are still happening). Through means of elimination i could also most likely obtain his IP address, the only thing i would need is the city he resides in plus which sites/threads he visits, you could upload an image to a thread on site-x/thread-y he visits and collect all IP's matching a certain vicinity. If he is really stupid you could just send him a pm. The attacker already knows the ISP he uses (from the last attack), so the list of possibles i assume would be quite small. Plus you will be able to see on his stream which IP belongs to him, or rather not see i suppose. What i am trying to say is that there are always ways if you are determined and i believe Destiny angered motivated quite a lot of people. The people who pay for bots to DDOS people don't know how to do what you mentioned above. And even if they do/did and wanted to spend the time to do so, they would only obtain his proxy and not his actual IP, in which case he would change the proxy. My guess is that he also uses whitecap or SocksProx for his browser as well, so again you're only getting his proxy. I don't think you could tell based off his stream his IP or proxy. Either way this is just a deterrent and an effective one at that. Assume we got his proxy's IP from Skype. Then we take down his 5$ server from a shitty reseller. At this point he is already annoyed and can't use Skype anymore. If he gets another proxy (which would be pointless if he doesn't spend a lot of money) you could just repeat the procedure. Regarding seeing his IP (at this point i assume he doesnt use his cheap server anymore because it's pointless), i will see the effect the attack has on the list of possible Destiny IP's on his stream (=no stream). What phuzi0n describes could be easily setup using zeroshell. http://www.zeroshell.net/
Each attempt would take a bunch of time by the one attempting to obtain the proxy's IP. Then they would have to ask the bot service(which most use) to attack that proxy. Proxy dies, so all connections does. Then you change your connections to the next proxy. Either way I think even 2 proxies would be enough to sufficiently deter most people, but then there are those try hards (which I don't really understand), so you should have a steady backup list. Though imo it would be best to get with your ISP to attempt to get them to block these types of attacks if they even can.
|
I must say, this thread gave me the same exact feeling a game of dota does.
I don't even feel like explaining why...
I'm just glad there was an anticlimactic conclusion and that everyone is unhappy. That's how you know it was a good game.
|
Its not a real team house unless its running Arbor DDOS mitigation devices on its core network.
|
Oh my god, people in this thread need to learn about networking.
|
|
|
LunaSea +1 for trying
LunaSea -5 for being wrong
Pumplekin +5 for explaining why he is wrong
LunaSea +10 for admitting on the internet, that he was wrong!
LunaSea -5 for not editing the op
Picture poster +5 for putting correct information in easy picture.
skeldark -1 for reading all this
/thread
|
|
|
On September 04 2012 16:23 skeldark wrote:
LunaSea +1 for trying
LunaSea -5 for being wrong
Pumplekin +5 for explaining why he is wrong
LunaSea +10 for admitting on the internet, that he was wrong!
Picture poster +5 for entertaining
skeldark -1 for reading all this
/thread
Not +1 skeldark for reading all this and having learned something / refreshed some knowledge?
I certainly am happy I read the thread. Thanks guys, nice discussion! Remembered a lot I had learned / read once.
|
On September 04 2012 16:29 Junichi wrote:Show nested quote +On September 04 2012 16:23 skeldark wrote:
LunaSea +1 for trying
LunaSea -5 for being wrong
Pumplekin +5 for explaining why he is wrong
LunaSea +10 for admitting on the internet, that he was wrong!
Picture poster +5 for entertaining
skeldark -1 for reading all this
/thread
Not +1 skeldark for reading all this and having learned something / refreshed some knowledge? I certainly am happy I read the thread. Thanks guys, nice discussion! Remembered a lot I had learned / read once.
Not really, nothing i did not know...
Dont learn networking over internet forums!
This is the best start:
http://shop.oreilly.com/product/9780937175828.do
|
Zurich15317 Posts
On September 04 2012 05:07 Pumplekin wrote:
The real solutions to DDoS for the home streamer are :-
1.) Don't leak your IP address (and stuff like IRC without host hiding, Skype and other IM programs and I'm sure many other things can make this hard to do).
This thread really should have stopped here :/ GJ Pumplekin
Props to the OP for admitting his fault in the end. I am locking the thread, PM me if you still wanted to add something.
Oh, and hilarious use of paint graphs haha
|
Zurich15317 Posts
BTW for some real life defending:
I know streamers (who were attacked before) who got a dedicated line just for streaming. So they have one internet line for Skype, IRC, and the likes, and one dedicated to twitch upstream. Sure, an attacker could take out the skype line. Which is definitely annoying, but at least the show can go on. Not a perfect solution either, but at least they can run chat / messengers with minimized risk.
And yes, being nice to your ISP is a big help. Even if it's just to be able to call them and quickly get a new IP should yours have been leaked.
|
|
|
|
|
|
EPT
