[lug] DOS ssh attacks
nate at natetech.com
Sun Jan 11 01:51:49 MST 2009
On Jan 10, 2009, at 4:27 PM, karl horlen wrote:
> i guess this kind of gets back to the original question. depending
> on how big the pipeline is at any given entry / router point to and
> within your ISP, i would imagine a DOS attack on only one server
> behind an ISP firewall can potentially impact every server / site
> behind any one of the firewalls in the path that leads to the ISP.
> not even sure how an ISP fixes that?
The answer in the absolute worst cases is literally just what you
say: More bandwidth.
There are companies (I think one's mentioned in the article below, and
there's another article floating around about a similar company that
was "protecting" offshore gambling "casinos"/sites -- that story was
even hairier/weirder since there was virtually no law enforcement
available in these off-shore locations, and the owners would literally
hire mercenaries/militia to protect their data centers, families,
themselves... employees if they were really nice (hah... just only
KINDA kidding there), etc... from the bad guys who were extorting them
for millions of dollars a month.
Often the companies that do this sort of "protection" take on the job
of being your primary route, they have enormous bandwidth, and they're
not cheap. They route your normal traffic in through their load-
balancers, server farms, etc... strip off the "bad" stuff, and send on
a back-end (again, expensive) point-to-point pipe to your now much
quieter, datacenter where the "real" servers live.
Larger U.S. corporations just scatter their servers and build out in
multiple huge data centers with massive pipes into them, to make the
likelihood they can be knocked off-line, lower. But they don't often
have to avail themselves of the services of the "protection" companies.
>> Your question reminds me of an article I read a while back.
>> I think this is it (or it contains enough of the same
>> info): http://www.press.umich.edu/pdf/9780472031955-ch24.pdf
> thanks for the link and info. i'll give it a look.
That's a pretty good one. There are others out there too.
The whole thing gives rise to the joke: "He who dies with the most
bandwidth, wins.", of course.
Or as I've stolen and rephrased it into telco terminology for years,
after hearing a friend coin the phrase one day: "He who dies with the
most erlangs, wins." (Which is a far more interesting way to say it,
for telco geeks. And getting more accurate all the time, since the
big pipes getting overstuffed also commonly blocks VoIP traffic these
days, too... ahh the joys of mixed packet networks!)
DDoS attacks from a botnet aren't something most people really want to:
a) Know they even happen...
b) Have to deal with...
c) Be involved with the serious law enforcement and dangerous behavior
of the criminals involved, in many cases.
Think about it this way -- if spamming is profitable in the general
"lawlessness" of the Internet, how much more profitable is taking down
any large corporation's website that does commerce mainly via the
web? (Extortion.) It's big business. Non-distributed DoS attacks
are magnitudes easier to deal with, block some IP ranges, and you're
done. Distributed DoS attacks utilizing zombie/botnet networks --
much harder to deal with.
nate at natetech.com
More information about the LUG