for the techs @ therx

wolfie_cr · Mar 18, 2005

http://www.amazon.com/exec/obidos/tg/detail/-/0131475738/qid=1111188428/sr=8-1/ref=sr_8_xs_ap_i1_xgl14/102-3320334-1248156?v=glance&s=books&n=507846

interesting read about DDoS , not a solution (Wish there was one!) but interesting none the less and much more so for us that are on the "attacked" end all the time

TheGeneral+ · Mar 18, 2005

Thanks

philosurfer · Mar 21, 2005

RRDNS...problem solved.
been in the spam industry for a long time... DDOS.. is for rookies.

AdamSelene · Mar 21, 2005

Why does Round Robin DNS (?) solve DDOS?

Indeed many attacks I've seen are so poorly orchestrated as to only attack a single IP address and a single TCP port (80). Block port 80 and your site is still accessible by SSL, dev null route the IP address being attacked and update DNS and the attack disappears.

But that's only a solution to extremely poor attack parameters. I wouldn't assume that bot networks will remain so stupid.

Extremely big pipes and a vaste web server farm generally manage to survive attacks.

The honeynet project claims to have tracked 1 million bot infected computers, and witnessed DDOS bot hoards of up to 50,000.

http://www.honeynet.org/

The largest botnet tracked (by iDefense in 2003) was 120,000 infected computers.

It's easy to see how DDOS works. A typical individual web server can only handle about 10,000 requests per second (rps) for static content -- and expoentially worse for server script pages and database-driven content (e.g. ASP, which most sportsbook software uses maxes out at 300-500 rps).

wolfie_cr · Mar 21, 2005

"is for rookies." LOL, thats why it STILL keeps causing big headaches to everyone in the world as well as loses of billions

tell that to the guys of prolexic

philosurfer · Mar 22, 2005

the techs in the sports book industry are not the top of the food chain as many of them would like to believe.

the people writing those botnets just so happen to be friends. and lets say i have a little expierence working with them myself.

every ip packet has a header. that header has a string with an originating location.
now... you say.. well that dont mean **** with a bot net... wrong.
Ip packets can vary in size. Usually DDoS attacks are made from a very generic pattern. With a deccent RRdns (maybe 10 clustered dns servers, its up to you.) program you should be able to read all traffic and if you recieve more than x amount of packets in 3 seconds all with this packet size... well... you get the idea.. its not perfect... But... i keep AOL's DDoS attacks at bay on a daily basis... but still allow their users to view my sites.

And they have a little bit more money, and more staff than my russian friends.

RRdns works.

wolfie_cr · Mar 22, 2005

let me address your comments one by one

"the techs in the sports book industry are not the top of the food chain as many of them would like to believe."

perhaps not, but DDoS STILL cripple sites ALL OVER the world and in developed countries as well

"every ip packet has a header. that header has a string with an originating location." so what? it doesn't matter if the IP number is spoofed or not, with 50000 bots all trying to bring down the site who cares if they are real or not? the router is equally swamped both in processing (CPU) and bandwidth, these people have 100 Mbps and more, that is a very significant % of bandwidth compared to the total that either RACSA or ICE have

so let's see......I write a both with random packet size, perfectly shaped as a normal http get request and its going to be a nice bot so it will spoof the IP so that each bot can use 100 random IPs, so I have say 1000 bots bombarding you with 1000000 IP numbers that I will rotate every minute. now how exactly do you defend against that?