[lug] DOS ssh attacks

Nate Duehr nate at natetech.com
Sun Jan 11 01:51:49 MST 2009

On Jan 10, 2009, at 4:27 PM, karl horlen wrote:

> i guess this kind of gets back to the original question.  depending  
> on how big the pipeline is at any given entry / router point to and  
> within your ISP, i would imagine a DOS attack on only one server  
> behind an ISP firewall can potentially impact every server / site  
> behind any one of the firewalls in the path that leads to the ISP.
> not even sure how an ISP fixes that?

The answer in the absolute worst cases is literally just what you  
say:  More bandwidth.

There are companies (I think one's mentioned in the article below, and  
there's another article floating around about a similar company that  
was "protecting" offshore gambling "casinos"/sites -- that story was  
even hairier/weirder since there was virtually no law enforcement  
available in these off-shore locations, and the owners would literally  
hire mercenaries/militia to protect their data centers, families,  
themselves... employees if they were really nice (hah... just only  
KINDA kidding there), etc... from the bad guys who were extorting them  
for millions of dollars a month.

Often the companies that do this sort of "protection" take on the job  
of being your primary route, they have enormous bandwidth, and they're  
not cheap.  They route your normal traffic in through their load- 
balancers, server farms, etc... strip off the "bad" stuff, and send on  
a back-end (again, expensive) point-to-point pipe to your now much  
quieter, datacenter where the "real" servers live.

Larger U.S. corporations just scatter their servers and build out in  
multiple huge data centers with massive pipes into them, to make the  
likelihood they can be knocked off-line, lower.  But they don't often  
have to avail themselves of the services of the "protection" companies.

>> Your question reminds me of an article I read a while back.
>> I think this is it (or it contains enough of the same
>> info): http://www.press.umich.edu/pdf/9780472031955-ch24.pdf
> thanks for the link and info.  i'll give it a look.

That's a pretty good one.  There are others out there too.

The whole thing gives rise to the joke:  "He who dies with the most  
bandwidth, wins.", of course.

Or as I've stolen and rephrased it into telco terminology for years,  
after hearing a friend coin the phrase one day:  "He who dies with the  
most erlangs, wins."  (Which is a far more interesting way to say it,  
for telco geeks.  And getting more accurate all the time, since the  
big pipes getting overstuffed also commonly blocks VoIP traffic these  
days, too... ahh the joys of mixed packet networks!)

DDoS attacks from a botnet aren't something most people really want to:
a) Know they even happen...
b) Have to deal with...
c) Be involved with the serious law enforcement and dangerous behavior  
of the criminals involved, in many cases.

Think about it this way -- if spamming is profitable in the general  
"lawlessness" of the Internet, how much more profitable is taking down  
any large corporation's website that does commerce mainly via the  
web?  (Extortion.)  It's big business.  Non-distributed DoS attacks  
are magnitudes easier to deal with, block some IP ranges, and you're  
done.  Distributed DoS attacks utilizing zombie/botnet networks --  
much harder to deal with.

Nate Duehr
nate at natetech.com

More information about the LUG mailing list