Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pushback against DDOS Attacks

CmdrTaco posted more than 11 years ago | from the build-a-better-asshole-trap dept.

Security 159

Huusker writes "Steven Bellovin and others at ATT Research Labs and ICIR have come up with mechanism to stop DDOS attacks. The idea is called Pushback. When the routers get flooded they consult a Unix daemon (/etc/pushbackd) to determine if they are being DDOS'ed. The routers propagate the quench packets back to the sources. The policy and propagation are separate, allowing hardware vendors to concentrate on the quench protocol while the white hats invent ever more clever DDOS detection filters for /etc/pushbackd. The authors of the paper have an initial implementation on FreeBSD."

cancel ×

159 comments

dood (-1, Offtopic)

exspecto (513607) | more than 11 years ago | (#4541075)

im so 1337.

fp biatches

hey (0)

Anonymous Coward | more than 11 years ago | (#4541076)

even better idea!

shut off the computer if its getting DoS'd

(FP?)

Re:hey (4, Informative)

autocracy (192714) | more than 11 years ago | (#4541104)

That's exactly what this would do. The DDOS'd routers tell their upstream routers to cut back the flow of traffic - basically cutting out the source of the traffic. This of course requires that the upstream routers agree to do this...

Re:hey (4, Informative)

autocracy (192714) | more than 11 years ago | (#4541113)

I'd like to withdraw/modify that statement. I read the top post too fast :)

It would shut off the source of the flood, not the destination as the original poster implied...

*BSD can drink my *pee (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4541078)

Problem? (2, Insightful)

prichardson (603676) | more than 11 years ago | (#4541081)

Unfortunately the DDOS'ers will simply find a new way to flood a system. The best way to defend against this is to have a backup plan for when your servers get hosed.

Re:Problem? (3, Interesting)

thefalconer (569726) | more than 11 years ago | (#4541193)

Yes, but this would also stop most typical script kiddies. Those are the most malicious ones. Lack of maturity combined with lots of "god complex" tend to cause them to do far more damage than a typical hacker/ddos'er. So if you shut them down or reverse dos them, then they get a taste of their own medicine and you get to laugh while they're trying to figure out why their system just took a dive. :)

Re:Problem? (1)

prichardson (603676) | more than 11 years ago | (#4541320)

Ah yes, but i was thinking far enough into the futire when this uninvented new attack is just as commonplace as the DDoS is now. I'm sure the DDoS was a truly godlike acompleshment in its day

Not a big problem (3)

Gerry Gleason (609985) | more than 11 years ago | (#4541313)

Yes, the typical arms race situation applies, but the defenders now have some good weapons at their disposal. If the methods that implement the quench feature is robust and hard to subvert, then it is just the server that needs to be updated. Many techniques could be used to identify the sources of the attacks, including some manual help from the system operators. Over time, the demon could get very good at recognizing attacks bases on heuristics, so changes to the flooding packets or patterns might not help get around the filtering.

Couldnt pushback be a Dos tool in itslf? (5, Insightful)

Anonymous Coward | more than 11 years ago | (#4541085)

If pushback is subverted, couldnt it function like an inverse DOD tool?

Re:Couldnt pushback be a Dos tool in itslf? (1)

keller (267973) | more than 11 years ago | (#4541449)

Department of Defense should use this?
Why? .K

*BSD is dying (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4541086)

It is official; Netcraft now confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying

Re:*BSD is dying (0)

Anonymous Coward | more than 11 years ago | (#4541089)

You could at least vary the numbers in this, so as to make it APPEAR to be a valid report, different from the one you swiped it from (which also was bullshit)

Re:*BSD is dying (-1, Offtopic)

exspecto (513607) | more than 11 years ago | (#4541093)

hey, i havent seen the "stephen king dies" post in a while. someone post it please. i love recurring posts like this one, they remind me that people have a sense of humor.

STEVEN KING IS DYING (-1)

Anonymous Coward | more than 11 years ago | (#4541150)

FreeBSD Gets 'Fast IPsec' Implementation | Log in/Create an Account | Top | 49 comments | Search Discussion
Threshold:
-1: 49 comments
0: 25 comments
1: 6 comments
2: 1 comments
3: 0 comments
4: 0 comments
5: 0 comments

Flat
Nested
No Comments
Threaded

Oldest First
Newest First
Highest Scores First
Oldest First (Ignore Threads)
Newest First (Ignore Threads)

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
IP = Intellectual Property (Score:-1, Troll)
by Anonymous Coward on Tuesday October 22, @02:54PM (#4506343)
but with heavy borrowing

Wow, could the IP violations be any more blatent?
[ Reply to This | Parent ]

Who gives a fat fuck? *BSD is dying (Score:-1, Troll)
by Anonymous Coward on Tuesday October 22, @02:56PM (#4506374)
It is official; Netcraft now confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying
[ Reply to This | Parent ]

Re:Who gives a fat fuck? *BSD is dying (Score:-1, Troll)
by Palshife (mattNO@SPAMpalshife.net) on Tuesday October 22, @04:42PM (#4507387)
(User #60519 Info | http://www.palshife.net/)
And yet, I'm installing it tonight. How odd... It just doesnt make sense.
[ Reply to This | Parent ]

Re:Who gives a fat fuck? *BSD is dying (Score:-1, Flamebait)
by Anonymous Coward on Wednesday October 23, @12:28AM (#4510406)
you're gay
[ Reply to This | Parent ]

FreeS/WAN and Linux (Score:0, Offtopic)
by FattMattP on Tuesday October 22, @03:14PM (#4506587)
(User #86246 Info | http://www.openpatents.org/)
When the hell is FreeS/WAN [freeswan.org] going to be merged into Linux?
[ Reply to This | Parent ]

Re:FreeS/WAN and Linux (Score:0)
by Anonymous Coward on Tuesday October 22, @05:47PM (#4507984)
And this has what to do with the BSD section?

Moderators on crack.
[ Reply to This | Parent ]

Re:FreeS/WAN and Linux (Score:0)
by Anonymous Coward on Tuesday October 22, @07:06PM (#4508614)
And this has what to do with the BSD section?

Fuck all, but this is slashdot, and he mentioned linux in a post that could possibly be seen to vaguely relate to the topic in a tangential manner...

Moderators on crack.

Or on Linux. What were you expecting, here?

[ Reply to This | Parent ]

Re:FreeS/WAN and Linux (Score:0)
by Anonymous Coward on Tuesday October 22, @07:16PM (#4508673)
Or on Linux. What were you expecting, here?

proper punctuation, here.
[ Reply to This | Parent ]

Re:FreeS/WAN and Linux (Score:0)
by Anonymous Coward on Tuesday October 22, @07:26PM (#4508746)
proper punctuation, here.

Eh? Further elaboration, please. Were you complaining about it, or just making an observation?

[ Reply to This | Parent ]

Re:FreeS/WAN and Linux (Score:1, Offtopic)
by Secure42 on Tuesday October 22, @08:11PM (#4509104)
(User #527416 Info | http://www.freeswan.org/)
Probably not soon, i think they are avoiding to add it to Linux Kernel to avoid some problems with cryptographic restrictions in some countries. Anyway most distributions include it in their kernels.
[ Reply to This | Parent ]

Re:FreeS/WAN and Linux (Score:1)
by FattMattP on Tuesday October 22, @10:02PM (#4509725)
(User #86246 Info | http://www.openpatents.org/)
Then maybe the Linux kernel needs to move outside of the US.
[ Reply to This | Parent ]

Re:FreeS/WAN and Linux (Score:0)
by Anonymous Coward on Thursday October 24, @07:36AM (#4520674)
FreeS/WAN will not come to vanilla Linux.
Various kernel hackers will make a new one based on the ipsec at the USAGI(ipv6) project.
[ Reply to This | Parent ]

Re:FreeS/WAN and Linux (Score:0, Offtopic)
by Anonymous Coward on Wednesday October 23, @09:08AM (#4511855)
According to recent posts on LKML, it's rather unlikely that FreeS/WAN will be merged. Much more likely, it will be something DaveM and Alexy? cook up, borrowing heavily from the USAGI IPV6 implementation. This may even include hooks for hardware acceleration.

FreeS/WAN's various 'tudes pretty much marginalized them, but, FWIW, at least one of the core team is supportive of the current effort.
[ Reply to This | Parent ]

The End of FreeBSD (Score:-1, Troll)
by Anonymous Coward on Tuesday October 22, @03:34PM (#4506780)
The End of FreeBSD
[ed. note: in the following text, former FreeBSD developer Mike Smith gives his reasons for abandoning FreeBSD]

When I stood for election to the FreeBSD core team nearly two years ago, many of you will recall that it was after a long series of debates during which I maintained that too much organisation, too many rules and too much formality would be a bad thing for the project.

Today, as I read the latest discussions on the future of the FreeBSD project, I see the same problem; a few new faces and many of the old going over the same tired arguments and suggesting variations on the same worthless schemes. Frankly I'm sick of it.

FreeBSD used to be fun. It used to be about doing things the right way. It used to be something that you could sink your teeth into when the mundane chores of programming for a living got you down. It was something cool and exciting; a way to spend your spare time on an endeavour you loved that was at the same time wholesome and worthwhile.

It's not anymore. It's about bylaws and committees and reports and milestones, telling others what to do and doing what you're told. It's about who can rant the longest or shout the loudest or mislead the most people into a bloc in order to legitimise doing what they think is best. Individuals notwithstanding, the project as a whole has lost track of where it's going, and has instead become obsessed with process and mechanics.

So I'm leaving core. I don't want to feel like I should be "doing something" about a project that has lost interest in having something done for it. I don't have the energy to fight what has clearly become a losing battle; I have a life to live and a job to keep, and I won't achieve any of the goals I personally consider worthwhile if I remain obligated to care for the project.

Discussion

I'm sure that I've offended some people already; I'm sure that by the time I'm done here, I'll have offended more. If you feel a need to play to the crowd in your replies rather than make a sincere effort to address the problems I'm discussing here, please do us the courtesy of playing your politics openly.

From a technical perspective, the project faces a set of challenges that significantly outstrips our ability to deliver. Some of the resources that we need to address these challenges are tied up in the fruitless metadiscussions that have raged since we made the mistake of electing officers. Others have left in disgust, or been driven out by the culture of abuse and distraction that has grown up since then. More may well remain available to recruitment, but while the project is busy infighting our chances for successful outreach are sorely diminished.

There's no simple solution to this. For the project to move forward, one or the other of the warring philosophies must win out; either the project returns to its laid-back roots and gets on with the work, or it transforms into a super-organised engineering project and executes a brilliant plan to deliver what, ultimately, we all know we want.

Whatever path is chosen, whatever balance is struck, the choosing and the striking are the important parts. The current indecision and endless conflict are incompatible with any sort of progress.

Trying to dissect the above is far beyond the scope of any parting shot, no matter how distended. All I can really ask of you all is to let go of the minutiae for a moment and take a look at the big picture. What is the ultimate goal here? How can we get there with as little overhead as possible? How would you like to be treated by your fellow travellers?

Shouts

To the Slashdot "BSD is dying" crowd - big deal. Death is part of the cycle; take a look at your soft, pallid bodies and consider that right this very moment, parts of you are dying. See? It's not so bad.

To the bulk of the FreeBSD committerbase and the developer community at large - keep your eyes on the real goals. It's when you get distracted by the politickers that they sideline you. The tireles

Read the rest of this comment...

[ Reply to This | Parent ]

Re:The End of FreeBSD (Score:-1, Redundant)
by Palshife (mattNO@SPAMpalshife.net) on Tuesday October 22, @04:37PM (#4507350)
(User #60519 Info | http://www.palshife.net/)
I'm installing it tonight. Thanks for the insight.
[ Reply to This | Parent ]

Re:The End of FreeBSD (Score:0)
by Anonymous Coward on Thursday October 24, @01:27AM (#4519646)
Same here, great idea!

Thx to the original poster. If all goes well, I'll be switching a lot of Linux boxes to BSD.
[ Reply to This | Parent ]

No Further Details. (Score:-1, Flamebait)
by Anonymous Coward on Tuesday October 22, @04:31PM (#4507311)
I just heard the sad news on talk radio. Troubled OS FreeBSD was found dead in a hotel room in Modesto. There were no further details. Truly a big loss for OS dilletante-dabbler troll hobbyists the world over. I miss it already :-(

Stephen King, author, dead at 55 (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4541167)

I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Truly an American icon.

Re:Stephen King, author, dead at 55 (1, Funny)

kryonD (163018) | more than 11 years ago | (#4541196)

I just heard some sad news on talk radio - An Anonymous Coward was found dead in his Maine home this morning. There wasn't any more details, but athorities think he was hacked to death with a blunt spoon by author Stephen King. I'm sure everyone in the Slashdot community will be willing to provide an alibi for Stephen - even if you didn't enjoy his work, there's no denying his contributions to popular culture by killing this annoying f&#k. Truly a World icon.

Re:*BSD is dying (0, Offtopic)

Hektor_Troy (262592) | more than 11 years ago | (#4541109)

Due to the troubles of Walnut Creek, abysmal sales and so on,
FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
Here's to hoping Microsoft picks up FreeBSD then.

Re:*BSD is dying (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4541342)

Hmmmm, perhaps it's that the BSDs don't have hoards of people repackaging essentially the same thing and trying to turn it into a cash cow?
Get into the community before talking out of your ass. The IRC channels are strong, the usenet groups are strong, the mailing lists are strong, and yes, the changelog is still pumping.
All of your cute (and blatantly riped off) "statistics" are bullshit. And do you actually think that even a majority of the users are regulars on the groups? *BSD isn't dieing any more then Windows or Linux is. Get a life.

Dealing with the loss of FreeBSD (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4541094)

Hey, although you might not be comfortable with the thought, most people agree that FreeBSD is dying. That is an honest assessment. You really can't argue with the truth, no matter how much the truth might hurt. Truth exists independent of your personal feelings. So suck it up, put your chin up and move on. The death of FreeBSD is not the end of the world. It certainly doesn't have to be the end of your world.

Manual RegEx? (1)

stevejsmith (614145) | more than 11 years ago | (#4541103)

If a large-enough site was getting DDoS'd (Yahoo!, Microsoft, universities, etc.), wouldn't there be someone on call 24/7 who could in a matter of minutes sort out what the similarities in the DDoS are and then manually get a RegEx to sort them all out?

I don't have much knowledge of the subject, but that seems like an easy want to deal with it.

Re:Manual RegEx? (3, Funny)

mocktor (536122) | more than 11 years ago | (#4541124)

Nice idea but regex's have waaaay to high an overhead to filter the amount of traffic even a small DDoS produces - you'd need some kind of omnipotent distributed uberBeowulf cluster (or a million monkeys watching a zillion blinkenlights)

Re:Manual RegEx? (5, Insightful)

Bill Wong (583178) | more than 11 years ago | (#4541141)

DDoS is usually bandwitdh consumption...
Even if you drop 100% of the evil packets...
Your pipe is still filled...

And for the amount of traffic needed to actually DDoS a large-enough site like Yahoo (4 gbps last time around?), RegExs wouldn't be helpful
since, the sheer amount of cpu required to process *every*single*packet*that*passes*through* is wayy too much...

Re:Manual RegEx? (1)

Mark (ph'x) (619499) | more than 11 years ago | (#4541400)

yes, however if you do propagate the quench packets back towards the source, the idea is that its no longer your pipe that's being filled. this technique seems pretty good actually... imagining a large number of skript kidz filling up my pipe (dodgy image there ;) but I digress)... by 'quenching' each one of these at their ISP's router it means my pipe is empty, theirs is full and all they have succeded in doing is DOSing themselves :D

God Bless AT&T Research! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4541106)

SYSTEM V ON YOUR ASS FOO'!

Hard Times for *BSD (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4541107)

So why now? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

Re:Hard Times for *BSD (0, Offtopic)

Luke-Jr (574047) | more than 11 years ago | (#4541339)

"no operating system has ever come back from the grave"
I wasn't aware of that, but that's a good thing to hear. That means Windoze won't come back from the grave either. It died nearly a year ago. :)

sure (1, Insightful)

bicho (144895) | more than 11 years ago | (#4541120)

the best defense is the attack, so if they saturate your A/B/C network, then saturating the Internet is the obvious right solution.

Of course its not, it would do much more harm to many more innocent people.

The right solution is to educate people so that their PC's doesnt get inffected with worms and the like so they dont unknowingly contribute to DDOS.

Of course, the right is almost always the hard way and most people doesnt want to care about ignorant people so... we're in a vicious cycle here, just as in anything else.

Re:sure (4, Insightful)

garcia (6573) | more than 11 years ago | (#4541160)

educate people who are getting infected? Come on. Your not serious...

These people think that when they install virus scan software [slashdot.org] they are safe. I recently re-installed Windows on my gf's computer. She had V-Shield on there from 1999. She had no idea that she would need to update it.

At least my roommate, my parents, and my gf know (from me) not to open attachments. But educate a WIDE group of people? That's just not going to happen and you know it.

Re:sure (2)

jonbrewer (11894) | more than 11 years ago | (#4541177)

She had V-Shield on there from 1999. She had no idea that she would need to update it.

Newer products do solve this problem without customer education. My McAfee VirusScan checks for updates daily and generally downloads new definitions once or twice a week. I don't have to take the initiative to update it or buy new software.

A Slashdotter has a girlfriend!??! (0)

Anonymous Coward | more than 11 years ago | (#4541287)

Wow, more newsworthy than Tablet PC!

Re:A Slashdotter has a girlfriend!??! (0)

Anonymous Coward | more than 11 years ago | (#4541331)

only problem is, she has teh ugly

Re:sure (1, Funny)

Rhinobird (151521) | more than 11 years ago | (#4541435)

how come your grandfather(gf) is a girl?

Re:sure (5, Insightful)

Anonymous Coward | more than 11 years ago | (#4541179)

that has to be one of the least constructive, head in the sand arguments I've ever read. Did you read the article ?

The technique is about making the internet move the point of dropping the flood packets, BACK closer to the source. That is, remove the flood from the internet itself, and contain it into the localised areas.

Instead of expecting the impossible as you suggest, (which is joe-average running a secure system), finally someone is thinking about securing the internet in general from unsecured systems, which is a pragmatic approach which may well protect the internet in general from many unforeseen DDOS attacks, as well as the ones we know about.

Re:sure (2, Insightful)

Anonymous Coward | more than 11 years ago | (#4541423)

So what kind of authentication is taking place between routers and the pushback daemon? Why couldn't I just create a denial of service by claiming that someone is denying me, therefore causing them to get shut down?

Re:sure (4, Informative)

Shishak (12540) | more than 11 years ago | (#4541185)

Not exactly...

If every network provider ran this type of a system on their edge routers. Have all the edge routers communicate to distributed servers. Then, when you are being attacked you simply announce the offending IPs involved in the attack. That announcement gets propogated around all the servers which tell the edge devices to filter the traffic. It isn't a reverse flood. It is a way of telling the router closest to the source to start dropping packets.

Forged source IP's should be dropped at the edge already.

What we need is a protocol for sending dynamic filters to cisco routers. I would like to have input/output lists put on an interface that I can later build dynamically. I do it now with my Linux firewalls but it would be nice if I could drop the packets on the far side of my expensive link.

Re:sure (4, Insightful)

Doug Neal (195160) | more than 11 years ago | (#4541188)

How is this design proposing to saturate the Internet?

It involves sending a short message back to the routers that are routing the packets to you asking them to "quench" - i.e. filter out and don't route - the offending upstream sources.

The message could propagate as far back as the individual ISPs from which the packets are originating from so that each participant in the attack is cut off.

At least that's what I'm getting from the summary of the story, I could be completely wrong.

Re:sure (3, Insightful)

irc.goatse.cx troll (593289) | more than 11 years ago | (#4541324)

Not all denial of service is saturation.
What happens when i spoof that you just DoSed your favorite website? You get cut off from it, and denied service.

Although as far as taking advantage of this sort of thing goes, I'd much rather be able to use an ICMP Redirect to make a DoSnet packet its owner.

Re:sure (2)

LinuxGeek8 (184023) | more than 11 years ago | (#4541688)

If the router of your ISP would drop every packet that doesn't come from your ipadress, I should be safe.

"from the build-a-better-asshole-trap dept." (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4541121)

Here's a better asshole trap [goatse.cx] .

Not on linux yet? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4541127)

They didn't implement with linux because linux is the operating system for stupid wannabes.

100 (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#4541128)


Who gives a fat fuck? *BSD is dying (Score:-1, Troll)
by Anonymous Coward on Tuesday October 22, @02:56PM (#4506374)
It is official; Netcraft now confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying
[ Reply to This | Parent ]

Re:Who gives a fat fuck? *BSD is dying by Palshife (Score:-1) Tuesday October 22, @04:42PM
Re:Who gives a fat fuck? *BSD is dying by Anonymous Coward (Score:-1) Wednesday October 23, @12:28AM
FreeS/WAN and Linux (Score:0, Offtopic)
by FattMattP on Tuesday October 22, @03:14PM (#4506587)
(User #86246 Info | http://www.openpatents.org/)
When the hell is FreeS/WAN [freeswan.org] going to be merged into Linux?
[ Reply to This | Parent ]

Re:FreeS/WAN and Linux Tuesday October 22, @05:47PM
Re:FreeS/WAN and Linux Tuesday October 22, @07:06PM
Re:FreeS/WAN and Linux Tuesday October 22, @07:16PM
Re:FreeS/WAN and Linux Tuesday October 22, @07:26PM
Re:FreeS/WAN and Linux by Secure42 (Score:1) Tuesday October 22, @08:11PM
Re:FreeS/WAN and Linux by FattMattP (Score:1) Tuesday October 22, @10:02PM
Re:FreeS/WAN and Linux Thursday October 24, @07

in case the comments are slashdotted: (-1)

Anonymous Coward | more than 11 years ago | (#4541135)

ood (Score:-1, Offtopic)
by exspecto (exspecto2000.yahoo@com) on Sunday October 27, @10:01AM (#4541075)
(User #513607 Info) im so 1337.

fp biatches [ Reply to This | Parent ] hey (Score:0)
by Anonymous Coward on Sunday October 27, @10:01AM (#4541076) even better idea!

shut off the computer if its getting DoS'd

(FP?) [ Reply to This | Parent ] Re:hey (Score:3, Informative)
by autocracy on Sunday October 27, @10:09AM (#4541104)
(User #192714 Info | http://www.avcnet.org/jferland) That's exactly what this would do. The DDOS'd routers tell their upstream routers to cut back the flow of traffic - basically cutting out the source of the traffic. This of course requires that the upstream routers agree to do this... [ Reply to This | Parent ] Re:hey (Score:3, Informative)
by autocracy on Sunday October 27, @10:11AM (#4541113)
(User #192714 Info | http://www.avcnet.org/jferland) I'd like to withdraw/modify that statement. I read the top post too fast :)

It would shut off the source of the flood, not the destination as the original poster implied...
[ Reply to This | Parent ] *BSD can drink my *pee (Score:-1, Offtopic)
by Anonymous Coward on Sunday October 27, @10:03AM (#4541078) [ Reply to This | Parent ] Problem? (Score:1)
by prichardson (p_richardson_25@nospAm.yahoo.com) on Sunday October 27, @10:04AM (#4541081)
(User #603676 Info) Unfortunately the DDOS'ers will simply find a new way to flood a system. The best way to defend against this is to have a backup plan for when your servers get hosed. [ Reply to This | Parent ] Couldnt pushback be a Dos tool in itslf? (Score:3, Insightful)
by Anonymous Coward on Sunday October 27, @10:05AM (#4541085) If pushback is subverted, couldnt it function like an inverse DOD tool? [ Reply to This | Parent ] *BSD is dying (Score:-1, Troll)
by Anonymous Coward on Sunday October 27, @10:05AM (#4541086) It is official; Netcraft now confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying [ Reply to This | Parent ] Re:*BSD is dying (Score:0)
by Anonymous Coward on Sunday October 27, @10:06AM (#4541089) You could at least vary the numbers in this, so as to make it APPEAR to be a valid report, different from the one you swiped it from (which also was bullshit) [ Reply to This | Parent ] Re:*BSD is dying (Score:0)
by exspecto (exspecto2000.yahoo@com) on Sunday October 27, @10:06AM (#4541093)
(User #513607 Info) hey, i havent seen the "stephen king dies" post in a while. someone post it please. i love recurring posts like this one, they remind me that people have a sense of humor. [ Reply to This | Parent ] Re:*BSD is dying (Score:2)
by Hektor_Troy on Sunday October 27, @10:10AM (#4541109)
(User #262592 Info | http://fair-use.dk/)
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.Here's to hoping Microsoft picks up FreeBSD then. [ Reply to This | Parent ] Dealing with the loss of FreeBSD (Score:-1, Flamebait)
by Anonymous Coward on Sunday October 27, @10:07AM (#4541094) Hey, although you might not be comfortable with the thought, most people agree that FreeBSD is dying. That is an honest assessment. You really can't argue with the truth, no matter how much the truth might hurt. Truth exists independent of your personal feelings. So suck it up, put your chin up and move on. The death of FreeBSD is not the end of the world. It certainly doesn't have to be the end of your world. [ Reply to This | Parent ] Manual RegEx? (Score:1)
by stevejsmith (`slashdot' `at' `ssmith619.cjb.net') on Sunday October 27, @10:09AM (#4541103)
(User #614145 Info | Last Journal: Saturday October 26, @09:26PM)

If a large-enough site was getting DDoS'd (Yahoo!, Microsoft, universities, etc.), wouldn't there be someone on call 24/7 who could in a matter of minutes sort out what the similarities in the DDoS are and then manually get a RegEx to sort them all out?

I don't have much knowledge of the subject, but that seems like an easy want to deal with it.
[ Reply to This | Parent ] Re:Manual RegEx? (Score:1)
by mocktor on Sunday October 27, @10:16AM (#4541124)
(User #536122 Info | http://www.gothicasfuck.co.uk/) Nice idea but regex's have waaaay to high an overhead to filter the amount of traffic even a small DDoS produces - you'd need some kind of omnipotent distributed uberBeowulf cluster (or a million monkeys watching a zillion blinkenlights) [ Reply to This | Parent ] God Bless AT&T Research! (Score:-1, Troll)
by Anonymous Coward on Sunday October 27, @10:09AM (#4541106) SYSTEM V ON YOUR ASS FOO'! [ Reply to This | Parent ] Hard Times for *BSD (Score:-1, Troll)
by Anonymous Coward on Sunday October 27, @10:09AM (#4541107) So why now? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD. [ Reply to This | Parent ] sure (Score:1)
by bicho on Sunday October 27, @10:15AM (#4541120)
(User #144895 Info) the best defense is the attack, so if they saturate your A/B/C network, then saturating the Internet is the obvious right solution.

Of course its not, it would do much more harm to many more innocent people.

The right solution is to educate people so that their PC's doesnt get inffected with worms and the like so they dont unknowingly contribute to DDOS.

Of course, the right is almost always the hard way and most people doesnt want to care about ignorant people so... we're in a vicious cycle here, just as in anything else. [ Reply to This | Parent ] "from the build-a-better-asshole-trap dept." (Score:0)
by Anonymous Coward on Sunday October 27, @10:15AM (#4541121) Here's a better asshole trap [goatse.cx]. [ Reply to This | Parent ] Not on linux yet? (Score:0)
by Anonymous Coward on Sunday October 27, @10:16AM (#4541127) They didn't implement with linux because linux is the operating system for stupid wannabes.
[ Reply to This | Parent ] 100 (Score:0)
by Anonymous Coward on Sunday October 27, @10:17AM (#4541128)
Who gives a fat fuck? *BSD is dying (Score:-1, Troll)
by Anonymous Coward on Tuesday October 22, @02:56PM (#4506374)
It is official; Netcraft now confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying
[ Reply to This | Parent ]

Re:Who gives a fat fuck? *BSD is dying by Palshife (Score:-1) Tuesday October 22, @04:42PM
Re:Who gives a fat fuck? *BSD is dying by Anonymous Coward (Score:-1) Wednesday October 23, @12:28AM
FreeS/WAN and Linux (Score:0, Offtopic)
by FattMattP on Tuesday October 22, @03:14PM (#4506587)
(User #86246 Info | http://www.openpatents.org/)
When the hell is FreeS/WAN [freeswan.org] going to be merged into Linux?
[ Reply to This | Parent ]

Re:FreeS/WAN and Linux Tuesday October 22, @05:47PM
Re:FreeS/WAN and Linux Tuesday October 22, @07:06PM
Re:FreeS/WAN and Linux Tuesday October 22, @07:16PM
Re:FreeS/WAN and Linux Tuesday October 22, @07:26PM
Re:FreeS/WAN and Linux by Secure42 (Score:1) Tuesday October 22, @08:11PM
Re:FreeS/WAN and Linux by FattMattP (Score:1) Tuesday October 22, @10:02PM
Re:FreeS/WAN and Linux Thursday October 24, @07
[ Reply to This | Parent ]

New business-model? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4541138)

1: Write free software.
2: ?
3: Pushback packets.
4: Profit!

Re:New business-model? (0)

Anonymous Coward | more than 11 years ago | (#4541526)

Underpants is where it's at

My take (5, Interesting)

bobetov (448774) | more than 11 years ago | (#4541144)

Sounds like a pretty v1.0 idea at this stage, but I'm psyched people are spending brain cycles working on DDoS and flash-flood solutions, since they're both problems that are only going to get worse.

(Gotta love the Slashdot effect getting named explicitly, eh? Nice to be part of the problem for a change... hehe.)

Seems to me the tricky part here is defining the aggregates. After reading the article, it isn't *really* a way to save your site from going down due to overload, more a way to prevent others sharing your pipe/routers from going down with you. ;-)

Which is a good goal in itself. It seems like a real tough thing to determine which of the millions of hits to www.yahoo.com (for ex.) are valid users, and which are DDoS bots. So both get restricted (net result: bots win), but the guy in the cage next to yahoo stays up.

Re:My take (5, Interesting)

Subcarrier (262294) | more than 11 years ago | (#4541245)

Sounds like a pretty v1.0 idea at this stage

I have to agree. They leave a lot of issues for further study. One big problem seems to be that gigabit backbone routers don't really have time to do any of this stuff. It's not much use if the back plate packet rate drops to one quarter because of having to detect and deal with flow aggregates.

Re:My take (4, Informative)

Cato (8296) | more than 11 years ago | (#4541622)

That's not true of all such routers - as long as the number of aggregates to be filtered is fairly low, it shouldn't have too much impact. Most of the filtering should be on the routers at the edge of a given provider's network, which have less work to do than the true core routers - this is similar to the DiffServ QoS model except that the core routers don't need to do anything at all, since traffic is limited on the edges.

Juniper routers do this sort of filtering and policing in hardware, and can also generate traffic stats efficiently. Other vendors have similar features - Cisco 7500 routers can have multiple VIP processors, distributing the work down to the interface cards.

The main constraint is that you need new software written, installed and debugged in these routers, which will take time and require an agreed standard across router vendors. In the short term, it's easier to use existing features such as NetFlow/cflowd for traffic stats, feeding into an existing DDoS analysis tool (e.g. the Arbor Networks ones), which then tells a router provisioning tool to reconfigure the routers. This would not be as slick or dynamic as the proposed scheme, but could be done today. It would also make it possible to have a human in the loop initially, reviewing suggested changes. This would work OK as long as management and routing traffic are assigned a separate queue on each router interface, guaranteeing enough bandwidth to make these changes in the face of a DDoS attack (something that the ACC approach would also need).

Re:My take (2)

Subcarrier (262294) | more than 11 years ago | (#4541759)

If the hardware limits the number of aggregates that a core router can handle, it's fairly easy for an attacker to saturate the hardware.

Pushing the filtering all the way back to the edge nodes of the source networks may also be difficult, as detecting the aggregates is probably a lot easier than detecting individual malicious sources (you would like to leave the legitimate sources unblocked). Ultimately this would be the way to go, though. Applying ingress filtering universally to combat source address spoofing would be a good start.

Re:My take (0)

Anonymous Coward | more than 11 years ago | (#4541498)

Too bad the slashdot effect didn't have a reference to wtf it is.

Kind of odd, in a technical paper, using a term without defining what it is/where it came from.

not all DDoS attacks.. (5, Insightful)

Anonymous Coward | more than 11 years ago | (#4541163)

Not all DDoS attacks are bandwidth based, they could be application level and targeted at all sorts of other resources.

Some examples:

SYN floods can exhaust incoming connection queues.

DNS floods (asking a recursive nameserver a million questions, or even asking an authoritative nameserver a million questions).

Too many HTTP requests to processor intensive dynamic content pages could deny service well before you are serving at your bw limit.

The paper kept referring to the aggregate detection algorithm only coming into effect when the bandwidth limit is being exceeded .. it would be nice if these actions could be initiated in other situations also.

Never the less, this is a promising initiative.

--Iain

Re:not all DDoS attacks.. (1)

Shishak (12540) | more than 11 years ago | (#4541203)

Well, If we can build a secure way of notifying the source network providers of an offending IP. Then have that network provider block that IP from sending on the Internet. We can then setup our servers to tell us when they are being attacked/flooded/poked at. Our server or IDS can then notify our distributed attack manager which can notify the source networks attack manager which can notify the edge router to drop packets.

It isn't all that complicated, it is a major pain to get every network admin and small ISP to implement something.

The simple act of filtering all outbound packets to only allow your netblock would stop forged IP attacks cold.

Re:not all DDoS attacks.. (2)

whereiswaldo (459052) | more than 11 years ago | (#4541765)

Well, If we can build a secure way of notifying the source network providers of an offending IP. Then have that network provider block that IP from sending on the Internet.

Wonderful. Then later we can expand the system to block at will anyone who says something we don't want to hear. We could even hook it into Microsoft Passport! It will be easy to silence people.

You're talking about DoS attacks (2, Insightful)

Subcarrier (262294) | more than 11 years ago | (#4541319)

You don't generally need all that many machines to do SYN flooding or overload a DNS server.

DDoS attacks are brute force by nature, designed to take down sections of the network by saturating the links.

Re:not all DDoS attacks.. (2, Interesting)

smallfries (601545) | more than 11 years ago | (#4541442)

These tend to all follow the pattern that you are exhausting the cpu of the target rather than its network pipe. Newer network protocols already have protection for this by making it more expensive for the client initiating the connection rather than the server receiving it. SCTP has this in place already with a crypto-based cookie puzzle to prevent SYN bombs (similar approach would work for dns too). The other question is when (or rather if) newer protocols like these will eventually replace TCP with all of its inherent problems or if the inertia (but everybody knows TCP...) of the current protocols will kill them off first.

Re:not all DDoS attacks.. (2)

digitalsushi (137809) | more than 11 years ago | (#4541462)

Dont forget calling your ISP's fax machine with a roll of black paper taped into a loop. We sent a kid out to a "grocery store" that day- we had no idea what was for lunch.

"quench" ? (2, Informative)

Bowie J. Poag (16898) | more than 11 years ago | (#4541172)



Sounds like the name of a sports drink targeted at uh....interior decorators.

Shouldn't it be "squelch" ?

Cheers,

Re:"quench" ? (2)

cheese_wallet (88279) | more than 11 years ago | (#4541181)

One quenches a fire, so it's not that far off base. I do like squelch, although it makes me think of grape juice.

Re:"quench" ? (2)

adb (31105) | more than 11 years ago | (#4541217)

But you probably don't want to quench a flood...

Re:"quench" ? (1)

smallfries (601545) | more than 11 years ago | (#4541457)

you also quench a thirst - although normally with some kind of flood ...

Pushback and You: A Trrrrrrrrrriple T Info Post (-1, Troll)

The Trolling Troller (579075) | more than 11 years ago | (#4541175)

Push Back Features

XL Push-back pallet racking

  • Push-back racking allows pallets of varying types and sizes to be stored together, two, three or even four deep, with quick and easy access.
  • Pallets are loaded in sequence onto wheeled carriers or cradles of varying heights, which are 'pushed-back' on inclined steel channels to utilise the full depth of the racking. As pallets are retrieved, those remaining roll forward into position at the picking face.
  • This live storage system saves time, because trucks do not have to enter the racking for storage and retrieval, and also space as floor area for only one loading or picking face is required.
  • Push-back is suitable for all types of pallet load, including in some cases inferior quality pallets, and is particularly suited to operations where space utilisation is paramount - in cold stores, for example.


Pushback Tow Tractor JG-75/100 Low Profile

The low-profile design on this aircraft pushback tug was originally designed for use on aircraft carriers. These tugs can now be seen throughout the world in corporate hangars for use with many of today's bizjets [klerck.org] .
  • Draw Bar Pull: 7500 to 10000lbs., Holland 400 Front & Rear
  • Engine: Gasoline Ford 300 or Chrysler Flathead Ind 32, 6 Cyl.
  • Transmission: Ford/Borg Warner FMX or Chrysler/727A
  • Axles: Rockwell Standard #FAE-952-N-X2 Front Rockwell Standard, Planetary Drive #TA-268-FSH-X-17
  • Steering: Sheppard/Saginaw Hydraulic Power-Assist
  • Brakes: Power Rear Wheel Brakes
  • Parking Brake: Mechanical
  • Body: Northwestern Tractor, Welded Construction
  • Length: 123.5" (Excluding Hitch)
  • Width: 66"
  • Height: 45"
  • Weight: 10,000 lbs
  • Tires: 6.00x9 Front/ 7.50x16 Rear
  • Condition: Refurbished Lead Time: 4-6 Weeks




Pushback

When a player with Frenzy blocks a player with Stand Firm, a pushback result forces another block attempt just as if the Stand Firm player had moved.

see also: Frenzy Stand Firm

A player with Side Step may move into any adjacent square when he is pushed back. However, he must choose an empty square over an occupied square. If there are no empty squares, he must choose out of bounds over an occupied square. If all adjacent squares are occupied, he may choose to move into any occupied square (pushing the current occupant) that is adjacent except the square of the player who pushed him.

see also: Side Step

When a player with Horns and Frenzy is blitzing, in order to get the +1 ST bonus from horns, the blizter must move a square for each hit. (He would lose his horns bonus after the first hit against a Stand Firm player.)

see also: Horns Frenzy Blitz Stand Firm

A dice roll result of PUSHBACK (or PUSHBACK/POW with Dodge) counts as a Pushback result even though the player doesn't move. So, skills like Strip Ball and Frenzy will work against a Stand Firm player, and if hit by a Diving Tackler, a Pushback result ends the Stand Firm player's action.

see also: Stand Firm Strip Ball Frenzy Diving Tackle

A player who is pushed back into a square in which the football is lying, does NOT get to attempt to pick it up. The ball scatters.

see also: Pick Ups

When choosing the square that a player is pushed into, Empty squares must be chosen over occupied squares or out of bounds. Out of Bounds must be chosen over an occupied square. A square containing a non-Stand Firm player must be chosen over a square containing a Stand Firm player.

see also: Stand Firm

When one player is pushed into another player, the coach of the player who made the block should choose where that third player is pushed following the normal rules for choosing push back location. If this results in a player being pushed out of bounds and injured, the original blocker shall receive 2 SPP's for the Casualty IF it was an opponent.

You may be pushed out of the Tentacle TZ without rolling to escape the tentacles.

see also: Tentacles

Question.... (3, Insightful)

jwilcox154 (469038) | more than 11 years ago | (#4541182)

How does it prevent a Server from being Slashdotted?

Re:Question.... (2, Interesting)

Big Mark (575945) | more than 11 years ago | (#4541210)

Pushback will ensure that when the /. effect happens, the server isn't overloaded by dropping connections enroute to the server rather than at the server itself.

I wonder what impact the pushback overhead will have when a server gets slashdotted, though. What if the pushback message gets dropped due to swamped routers?

" The Slashdot effect " w00t as quoted as within (0)

sh2kwave (310977) | more than 11 years ago | (#4541191)

stated in the paper "The Slashdot effect" often leads to flash crowds.

I think that deserves some props to the boys running slashdot since they got themselves noted in the paper.

As well as some credit to every one that reads the pages :)./

This is worse (4, Insightful)

greenrom (576281) | more than 11 years ago | (#4541192)

What the paper suggests is that if a router is getting way too many packets to a specific destination address, it will tell the routers upstream to throttle packets to that destination address (drop a certain percentage of them).

How does this really help a DOS attack? The idea behind a DOS attack is to flood a server with so many packets that the server can't keep up and ends up dropping most of the packets. This paper does not provide a solution to this problem. It simply shifts where the packets are being dropped... at a router upstream instead of at the server or router at the edge of the network. The only advantage here is that other servers hanging off the router that aren't being DOSed will be unaffected.

The suggested solution also opens up a potential security hole. If you gained access to a server, it might be possible to send a packet to routers upstream and tell them to throttle bandwidth. This could be a much more effecient way of doing a DOS attack. Now instead of multiple machines on fast connections, all you really need to DOS your favorite website is a 268 and a 300 baud modem.

Re:This is worse (3, Insightful)

Anonymous Coward | more than 11 years ago | (#4541271)

If you read the post it is clearly pointed out that the objective is to prevent the DoS from affecting other services carried on the same network link.

There is no clear way to differentiate some forms of DDoS attacks from legitimate traffic or a traffic spike .. so you have to concede that the attacker has won that battle and interrupted their targetted service, the next step needs to be harm minimisation.

The pushback idea provides a generic method for notifying/instructing upstream carriers to drop a certain aggregate traffic flow and notify the destination of what affect that limiting is having so they can determine when to resume normal operation.

In the mean time though, you have prevented a DDoS that may be targeted at a single machine from affecting the entire network.

--Iain

Re:This is worse (2, Insightful)

dubious9 (580994) | more than 11 years ago | (#4541354)

If you root a webserver chances are that you want people to see the changes that you make to it. Once you have control of the machine you can do much worse things than DOS it.

Besides it is much harder to break into a well protected machine, than to break into a couple of thousand nearly unprotected ones.

Re:This is worse (4, Interesting)

Anonymous Coward | more than 11 years ago | (#4541474)

No, it throttles packets based on whatever is common to a majority of the packets. So, if a website suddenly gets a huge number of requests for /index.html, it can throttle those and let requests for another page through unhindered. If a web server gets a huge number of identically formed packets, it can throttle those and let differently formed packets through unhindered.

You are correct when you say it shifts the site where the packets are dropped. However, you miss the whole point. The site's router determines a pattern common to an attack, and tells the routers upstream the pattern. Those routers tell their upstream routers the pattern, etc. Alone, the site's router might be overloaded. The routers two levels upstream might all be just about overloaded, but still able to let through all non-attacking traffic. If these routers all begin throttling, the site's router will no longer be overloaded. All nonattacking packets will be let through unhindered. All attacking packets will be throttled severely. If the attack picks up and the second-level-upstream routers can't handle it, they will pushback to the third-level-upstream routers, etc.

At least, that's how I understood it.

Can this be right? (4, Interesting)

rocjoe71 (545053) | more than 11 years ago | (#4541202)

This sounds like innovation and that just can't happen on non-M$ operating systems, can it?

Back down to earth, it's mega-wicked when good ideas are developed in FreeBSD (or Linux). Developments like these come the closest to the original intents and purposes of open sourced OSes.

Re:Can this be right? (1)

tomstdenis (446163) | more than 11 years ago | (#4541220)

Troll much?

Since when can you not write open and innovative software on a MS platform?

People like you give idiot-yuppie-zealots a bad name.

Tom

Relax! (2)

rocjoe71 (545053) | more than 11 years ago | (#4541301)

...I was only kidding over MS' statements about their 'freedom to innovate' and how open-source is a 'threat to innovation'.

It's Sunday morning! Don't be so serious over *everything*!

People like you give knee-jerk-reactionaries a bad name.

another idea... (1)

jjshoe (410772) | more than 11 years ago | (#4541211)

while this idea is good... i often thought about the complexity of having software on every router like ntop or such setup with a tool like trace route.


what in the heck am i saying? lets say you get a syn with spoofed ip's (ask any ircop how much fun that is) you could then trace back through every router that spoofed ip came from. i realize this would tax machines quite a bit in logging and what not.


i dont think there will ever be a way to prevent any type of attack. i do think its important to have a proper response plan.

Re:another idea... (3, Interesting)

Shishak (12540) | more than 11 years ago | (#4541253)

There is a perfect, 100% sure way of stopping spoofed IP's. It is very easy, non-resource intensive and not being used by lazy network admins.

On every edge router you simply need to put an access-list to drop all packets not coming from your netblocks.

Edge routers going to customers you drop incoming packets not coming from your customer assigned IP. Amost EVERY edge device supports this, most support dynamic filters with RADIUS resquests. If you only allow your customers to send you data from their IP address it is impossible for them to be part of a spoofed attack.

Naughty Taco (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4541213)

Cmdr. Taco gathered me as though I was a child and placed me on his lap. "Shhh," Cmdr. Taco whispered in my ear. His warm breath caused my skin to gooseflesh while Cmdr. Taco slowly rocked me. When my tears were finished, Cmdr. Taco asked, "All better, little one?" I nodded feeling emotionally spent. His lips nuzzled the hollow where his breath had teased. Lightly nipping and licking Cmdr. Taco whispered, "Shall we continue?" Without waiting for me to answer, Cmdr. Taco stood me up holding my forearms when I stumbled shakily. "Take off all of your clothes," Cmdr. Taco slowly inspected me from my swollen lips to torn blouse to thigh highs peeking from under my skirt. "You may leave the stockings on. They remind me of the whore that hid inside you before I made you my own--my sweet, little whore, all mine. So alone out here, with no one to worry about you being gone." Cmdr. Taco nodded his approval when I had the last of my clothes off. I blushed as his eyes touched over every curve and valley of my exposed body. I moved to cover myself, but Cmdr. Taco stopped me. "No! It is mine to look at, mine to use." His fingers ran lightly over my skin. Brushing the underside of my breasts first, then Cmdr. Taco cupped both in his hands. The pads of his thumbs circled my nipples until they hardened even more. A smile curved his lips, finally his right hand lowered and cupped my sex. His middle finger slid easily within my silken folds. "I think someone is enjoying our little game." His finger probed deeper. "Tell me how much you like it."

My tongue felt thick and useless. I could barely breath--thinking was beyond question. I rocked my hips up and back straddling his hand wantonly. I felt my juices seeping running down between his fingers and onto my quivering legs. I opened my mouth and tried to speak but no sound would come forth. My jaw moved woodenly. I nodded my head from side to side trying to explain.

"You dare to disobey me?" Cmdr. Taco asked in disbelief. Cmdr. Taco piled my clothes in my hands.

I was afraid that Cmdr. Taco would send me away for disappointing him. I pleaded with him with my eyes. I finally worked until, "Please" came out.

"Please, what whore?" Cmdr. Taco asked.

"Please, don't make me go." I whispered looking down unable to meet his eyes.

He looked startled for a moment and then laughed. "Let you go? Letting you leave here was the last thing on my mind. I wonder if you would beg to stay knowing what I plan on doing with you--to you?" His voice turned harsh. "Throw your clothes in the fire." I started to question then did as Cmdr. Taco asked. I watched as my clothes kindled and disappeared into ashes. "Do you realize what you have done?" Cmdr. Taco asked. I shook my head no. "The only way you can leave now is as you are." Cmdr. Taco looked up and down my naked body. "I think the town would be shocked to see you walk through town in the buff. Don't you agree? Our perfect little girl naked and wandering the streets, maybe I'll make you do that later. What would they think? Would they see you then as I do? A needy whore begging to be taken--to be possessed fully and completely. Reach down and tell me what you feel." Cmdr. Taco commanded.

I reached down quickly to obey. I needed to fill the need throbbing between my thighs. My palm slid through my sticky tight curls as my fingers brushed my clit than slid into my wetness. Riding the sensations, I watched his face. This man I didn't know, yet the man who knew everything about me.

"What do you feel?" Cmdr. Taco prompted me as though I was a child.

My hips moved of their own volition as I crammed my fingers in and out of my wetness. "I feel wet." I answered.

"What feels wet, my sweet?" Cmdr. Taco questioned.

"My pussy." I answered.

"All of it," Cmdr. Taco said watching my fingers disappear then reappear.

"My pussy feels so wet." I moaned.

"Why is your pussy so wet?" Cmdr. Taco asked pulling me towards him and pulling my fingers from my cunt.

I struggled for an answer. "I'm wet, because I like this."

He brought my fingers to his mouth and slowly sucked them one by one into his mouth thoroughly cleaning each one. His mouth opened and sucked the puddle of wetness in my palm. Cmdr. Taco reached up and pulled me towards him by my nipples. "Here now I taste like you. Taste yourself." My tongue met his, and Cmdr. Taco moved my fingers between our mouths. Our tongues traced my fingers and met in their seams licking each other. The changing textures, the smell of my pussy between us caused me to gush more. Cmdr. Taco moved my feet apart with his foot. Somehow seeing his shoes still on and taking in his fully clothed body made me feel even more naked. Cmdr. Taco ran his hands along the inside of my thighs, and I shivered my pleasure at his touch. I wanted him inside. I wanted him to touch my core. I needed to explode to release the pleasure Cmdr. Taco was building within me. His hands quickly became coated with my stickiness. Cmdr. Taco moved his hands over me, but never where I craved it most. "What makes you this wet?" Cmdr. Taco asked again.

"You do." I answered.

"Do you think flattery will get me to touch your clit, little one?" Cmdr. Taco chuckled.

"Please," I begged.

"Mmmmm, I do have a soft spot for begging, and you begged so prettily earlier." Cmdr. Taco pondered as if considering my request. My hips pressed forward seeking his touch. I had never been this wet before. I was steadily dripping now. My nipples ached; my pussy literally throbbed with need. "You, young lady are making a mess on my carpet."

"I'm sorry," I stammered.

"I think you shall have to be punished for making such a mess with that slutty little pussy of yours. What do you think?" Cmdr. Taco questioned.

"I'm sorry." I repeated. "I can't help it. I need it so much."

"Why do you think it is that you need it so much?" Cmdr. Taco pressed on.

"Because, I like it... because, I'm a dirty slut. I like the way you make me feel. Please touch me there." I begged.

"You are a bad girl. First making a mess on my good carpet, and then begging for me to touch you in such naughty places. You must be taught a lesson I'm afraid. Bend over my lap." Cmdr. Taco commanded.

I quickly hurried hoping Cmdr. Taco would make the throbbing need end. My breasts lay in front of his knee and my legs hung suspended in the air not quite touching the ground. His knees spread, and I felt helpless. His hand reached between my thighs and cupped my sex. I moaned my intense pleasure. "What do you want?" Cmdr. Taco asked.

"Please, please touch me." I implored.

"Touch you where? Cmdr. Taco asked.

"Touch my pussy, please." I begged biting my lip to keep from steadily begging and pleading for the touch I needed so badly.

"Good girl, you are learning. Tell me exactly what you want."

"I want your fingers inside me. I want you to rub my clit."

His hand rubbed over my dripping pussy then moved back to my ass smearing my juices over me. His hand dipped back down and coated once more. Cmdr. Taco rubbed my juices back and forth until my wetness covered me thoroughly. His finger finally sought my clit, and I all but screamed my joy. Cmdr. Taco laughed aloud at my eagerness. Cmdr. Taco circled my now distended clit then rubbed it roughly. His other hand rubbed soft circles on my backside, and then without warning smacked down sharply. I jerked crying out at the unexpected pain. His fingers circled my clit once more. His fingers plucked and twisted my clit as though it was a nipple. Then his wet hand came down once more. Cmdr. Taco slapped my bottom relentlessly. My flesh stung and burned. The wetness made the slaps ring out in the room. I whimpered torn between the peaking pleasure between my legs and the sting of my backside. I felt the walls of my pussy begin to tighten. "That's it my little slut," Cmdr. Taco urged on. "I know you would come like this." His fingers plunged in and out of my pussy as his other hand rained down on reddened behind. "Does it hurt, little one?"

"Yes," I whimpered.

"Do you want me to stop, little one?"

"No." I shook my head.

"Do you know what that means?" Cmdr. Taco asked never slowing his two hands--one sliding in and out, the other slapping up and down faster and faster.

Tears built in my eyes. "I like to be hurt." The blows became harder still my body moved up and back, my breasts swaying and slapping against his leg as Cmdr. Taco rammed roughly in and out of my body.

"Who's slut are you?" Cmdr. Taco asked.

"I'm your slut." I answered.

"What kind of slut are you?" Cmdr. Taco pushed on continuing his twin assault.

"I'm your little pain slut," I cried out as I came gushing even more.

"That's it baby, come hard for me," Cmdr. Taco coaxed running his fingers slowly now in and out coaxing me to come even more. As I lay quivering over his legs, Cmdr. Taco rubbed my bottom praising me. My pussy clenched and released convulsively. "You are so beautiful. You respond so fully." Cmdr. Taco lifted and turned me on his lap facing him. Cmdr. Taco slid his cock into me and held it there filling me. I felt so complete. I tightened around him stroking him without moving. Cmdr. Taco cupped my bottom in his hands and rocked me up and back running his cock in and out of me. Cmdr. Taco would completely fill me, and then withdraw leaving me feeling empty then filling me once more. We rocked slowly together. His mouth covered my neck then my jaw biting lightly. We kissed slowly the contrast from the earlier pell mell rush making it seem even more languid. Minutes stretched by, contended I laid my head on his chest as Cmdr. Taco unhurriedly fucked me. I felt myself building once more, and Cmdr. Taco felt it too. Cmdr. Taco pulled me tighter bouncing me up and down on his cock. Cmdr. Taco turned me and pushed my shoulders to the floor following me to the rug. His hand road the small of my back as my elbows rested on the carpet, and my ass turned up into the air. Cmdr. Taco hesitated a moment looking at my upturned ass before plunging into my pussy. "I'll save your ass for later." Cmdr. Taco promised. The thought of having his cock, any cock in my virgin ass sent me over the edge, and I came. Cmdr. Taco never slowed his pace, but continued to pound relentlessly into my gaping pussy. As I struggled to breath, Cmdr. Taco fucked me without restraint. His cock slammed into me; his balls slapped out a rhythm. Cmdr. Taco no longer spoke, but moaned and groaned his enjoyment. My elbows slipped beneath me, and my face lay pressed onto the rug. My nipples drug up and back on the carpet. The teasing pleasure quickly became pain as my sensitive nipples rubbed faster back and forth. My nipples burnt and stung. My elbows were rug burnt halfway to my forearm. When Cmdr. Taco came, I felt the hot wet splash of his come inside me, and it set off another wave of pleasure. Cmdr. Taco drew out and rubbed the sticky remains of his come on my asshole. "Later." Cmdr. Taco promised watching the gobs of come run along the crack of my ass. I lay gasping on the rug feeling thoroughly used. Cmdr. Taco ran his finger along the crack of my ass. "You are just so tempting, little one. Your mouth was so eager; your pussy was so wet, so hot, and now that sweet little ass of your is calling to me. Do you want to be my three hole girl?"

He sat on the floor and leaned back on the sofa. "Come here, little one." Cmdr. Taco beckoned. I turned and crawled towards him. "Take off my shoes." Cmdr. Taco ordered. I turned my ass towards him once more and untied his shoes and pulled them from his feet. His socks followed. I felt his hand on my ass and tensed as his finger slid down my crack and circled my asshole. I clenched without meaning to, and Cmdr. Taco sighed. Cmdr. Taco lifted and slid his pants and underwear down and off. Cmdr. Taco pulled me back towards his lap by the hair. I lay curled between his legs, my head resting on his thigh while Cmdr. Taco slowly stroked my hair. My face was inches from his cock, and I watched fascinated as his cock twitched and more come slowly trickled down the bulbous darkened head. My tongue involuntarily jutted across my lips as I thought of tasting his come. My action didn't go unmissed. "I'd hate to disappoint a lady." Mr. Kelly said sneering on the word lady. Cmdr. Taco grabbed a handful of my hair. I watched as another glob dropped from his head and fell into the dark matted hair at the base of his penis. His rough jerk reminded me to pay attention to him, and I quickly moved where Cmdr. Taco directed. Cmdr. Taco violently towed my head upward. Staring directly into my eyes, Cmdr. Taco threatened, "Keep that cat tongue in your mouth, or I will teach you what real pain is about." I nodded my compliance. "Say it!" Cmdr. Taco ground out impatiently.

"I'll...I'll keep my little cat tongue in my mouth." I promised.

"Yes, you will." Mr. Kelly nodded. Instead of the licking and lapping up of used come that I craved, Cmdr. Taco held my head firmly between his hands and rubbed my face in the gooey remains of our release. The quickly cooling come coated my entire face. Cmdr. Taco dragged first one cheek then the other through the puddle of sperm. Then face first, up and down his spent cock. I felt it begin to harden beneath me. The temptation to open my mouth--to taste was so great that I clenched me jaw against it. More than the threatened pain, I didn't want to displease Mr. Kelly. I wanted to please him more than I wanted to gratify my longing for come. I felt his seed spread through my eyebrows and eyelashes and begin to stiffen as it dried. The smell of his arousal was overwhelming, and I felt the familiar tightening in my body begin. When Cmdr. Taco was finally finished, Cmdr. Taco lifted me up into his arms. Cmdr. Taco smiled his satisfaction. "You look pretty covered in my come. I'll always remember you this way."

I have a simpler solution (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4541244)

Make ISPs liable for machines that they allow to connect that are periodically engaged in attempting to abuse other machines for longer than, say, 10 days.

Give ISPs an incentive to detect forged packets, portscanning, and other common signs of compromised machines at the source. Get rid of zombies at the source. Then there wouldn't be the raw material for DDoS.

In short keep machines from swinging their fists, rather than try to make the recipients more resistant to being hurt.

blocking packets with forged return addresses (5, Insightful)

wfmcwalter (124904) | more than 11 years ago | (#4541277)

Perhaps someone more network-literate than I can answer this DDoS question, which has bothered me for some time.

I believe most DDoS attacks have the following in common:

  1. DDoS zombies generally send packets with forged return addresses, as doing so greatly complicates attempts both to block packets and to track down individual zombies.
  2. Machines used for DDoS attacks are almost always either corporate PCs or home PCs connected by DSL/cable. These nodes are single-homed, and as such packets emanating from them have only one initial route to the internet.
My question is this - why can't corporate IT people or their counterparts at ISPs reprogram their front-line routers (those that directly connect to individual end-user PCs) to block packets with forged return addresses? Forged addresses typically are either totally illegal or indicate a totally different net or subnet from the actual sender.

I can't see any reason why this wouldn't be a good idea - there really isn't any reason for the type of machines mentioned to ever act as true IP routers (as opposed to NATs), and it doesn't seem like this would be either hard or burdensome for the first-line routers to do.

Employing this would mean that DDoSers would be confined to forging return addresses within the zombies' own subnet, which would make both blocking and back-tracking much easier.

It's plain that this isn't done, so there must be a good reason why people much more network savvy than I haven't implemented it - what is it?

Re:blocking packets with forged return addresses (0)

Anonymous Coward | more than 11 years ago | (#4541387)

This would work even better if the router could somehow tell your true IP address and when it sees you trying to forge packets, it black lists you and temporarily or permanently shuts down all traffic from that IP, logs the illegal attempt and notifies an administrator.

Re:blocking packets with forged return addresses (1)

wfmcwalter (124904) | more than 11 years ago | (#4541509)

This would work even better if the router could somehow tell your true IP address

Strictly, it needs only to figure out your true identity to do this blacklisting.

For ethernet connected devices (corporate and college LANs) the ethernet address serves this function.

I have no idea how this would be achieved with PPP (dialup) and PPPoE (some dsl).

For non PPPoE domestic broadband, one would imagine the DSLAM or DOCSIS-router-thingy would have the equivalent info (for DSL and cable respectively).

Re:blocking packets with forged return addresses (1)

dubious9 (580994) | more than 11 years ago | (#4541415)

Hmmm... good idea. I have had this idea with respect to e-mail servers and making sure each e-mail sent out had no forged information.

Basically, I guess that this would require some sort of change to IP. One solution would be so send the "front line router" a connection packet. Then have the router send you back a public key. Then whenever the client encrypts his IP address (or some other unique peice of information(MAC?) and send this along with every outgoing message.

The router could then maintain a lookup table with IP's and encrypted message to determine which ones to drop.

You might have to double the number of front line routers to handle the overhead, but I guess this would help quite a number of security related questions.

I realize there are probably a number of problems with this as I am not a security guy, but are they any reasons this basic idea wouldn't work?

Re:blocking packets with forged return addresses (5, Insightful)

swb (14022) | more than 11 years ago | (#4541582)

"Good" networks prevent forged packets by doing what you suggest, dropping packets with bogus source addresses at the edge of the network or at appropriate ingress points.

I think the argument that is made for not doing this at a lot of ISPs is that with most Cisco routers its expensive as a lot of their routers can't fast switch with ACLs applied, they process switch, turning an adequate router into an inadequate packet-dropper.

It can also be a PITA to maintain -- if you put it at the very edge, like on an ISPs peering router with their upstream, it doesn't prevent in-block spoofing (eg, spoofing packets within the ISPs block). If you try to beat that on all the aggregation routers, you have a lot of ACLs to maintain; customer churn could put address blocks all over the place.

I'd argue that ISPs should make it a term of service that *their* customers ACL their edge routers; we-catch-spoofing-we-cut-you-off language.

Re:blocking packets with forged return addresses (5, Informative)

Cato (8296) | more than 11 years ago | (#4541673)

This is mainly laziness - there are tools to help you do this, from Expect-based scripts up to commercial router provisioning tools (which can also be used to activate IP VPNs and QoS).

As for router capacity - Junipers don't have this problem, and if the ISP manages the CPE router on the customer site they can just push it down to that device. On a Cisco, where you have symmetric routing (probably the case for most smaller customers i.e. not dual-homed), you can just set the IP reverse-path forwarding option, which is very efficient - on each packet, the router does a routing lookup on the *source* address, as if it was trying to send a packet back to its origin. If the routing table doesn't have an entry for that source address that points out via the interface the packet was received on, the source address has been forged. This is not much overhead at all - just one more routing lookup.

For dual-homed customers, the provider has to use ACLs or perhaps a managed CPE, but ideally this would be a selling point for the ISP helping to generate cash to pay for router upgrades if needed - it safeguards the customer's network from being used to generate DDoS attacks with forged source addresses, which could save the customer from a lawsuit.

Old Idea (5, Informative)

Brew Bird (59050) | more than 11 years ago | (#4541289)

This idea has been hashed to death for years.
The basic implementation has already been done.

What is novel and new about this paper is the suggestion that upstream routers are going to allow any tom, dick and mary to tell them what packets to throttle.

Always ass-uming that the larger switches can actually do this on the scale that is hinted at in the paper.

While issue 1 is specificly a political issue between carriers and customers, one could always point to the ease of which BGP routes are exchanged as an example of how easy this would be to do. Unfortunatly, since we are now talking about something that could effectivly put a transit provider out of business, there is no way issue number 1 will be overcome, unless the router manufactures give me the same kind of filter and ruleset technology I have for BGP. This would allow me to ignore anything I want from anyone, and would have the net affect of the feature being disabled!

as for 2, I'm sure some router manufacture has been touting this type of 'feature' on thier new multi-gig-a-bit MPLS/IP-does-everything-at-once switch. Don't believe it until it's out of the lab, guys. As many times as carriers have been screwed over by these new startups and their 'awsume powerful technology', I'm supprised anyone believes thier line of crap anymore.

It's too bad DDOS attacks don't go on for weeks, then we could use something like RBL to deal with it. Since they are so transitory, blackholing on the fly, (which is basicly what this paper is advocating) would require a lot more thinking about than has been put into this work.

Perhaps, instead of trying to complicate our lives with Yet Another New Protocol, you could simply come up with and IDS concatonation system, that puts together 'lists' of known DDOS sources at the current moment, and put it into a BGP feed... What a concept! Taking 2 technolgies that are known to work, and available to ANYONE that does BGP on the internet, and making it work!

Thank You, Come Again.

Re:Old Idea (1)

bigberk (547360) | more than 11 years ago | (#4541424)

Perhaps, instead of trying to complicate our lives with Yet Another New Protocol, you could simply come up with and IDS concatonation system, that puts together 'lists' of known DDOS sources at the current moment, and put it into a BGP feed... What a concept! Taking 2 technolgies that are known to work, and available to ANYONE that does BGP on the internet, and making it work!

This kind of reminds me of DShield [dshield.org] . And I think you're right, if we could automate such an internet-wide distribute of potential DDoS participant hosts then when an attack begins, the victim could invoke "the blacklist" and hopefully cut out a big chunk of the sources.

Re:Old Idea (1)

smallfries (601545) | more than 11 years ago | (#4541529)

Ok, disclaimer first - I haven't actually read the paper. That said, if you're right about:

What is novel and new about this paper is the suggestion that upstream routers are going to allow any tom, dick and mary to tell them what packets to throttle.

Then, lol. Do they really think this is a good idea in any way, shape or form?
This opens up an even worse class of DOS attack than the one that it plugs. Effectively I can clamp off your traffic by accusing you of DOS'ing a bunch of servers out there somewhere (by forging requests from those servers).

Or even worse, again by forging requests from a server I can fire off pushbacks to a large number of edge routers and close down most of your traffic from those areas.

Is there no authentication in there at all?

Re:Old Idea (4, Insightful)

Cato (8296) | more than 11 years ago | (#4541706)

A BGP feed will only help if you want to drop ALL traffic to a given IP prefix - the ACC proposal actually lets you limit traffic by port number as well.

Also, a BGP-only solution would only let you drop traffic, so it's not very useful for flash crowds, where the traffic is legitimate but excessive. It's also not useful where the port / prefix etc can't precisely identify only DDoS traffic - rate limiting allows some good traffic to get through while also limiting the DDoS. Blackholing != limiting (did you read the paper at all?)

I agree that this can be prototyped using existing technology (see my post elsewhere), but if this approach proves useful, a dedicated protocol would be helpful - though this could perhaps be piggybacked onto BGP using additional attributes to carry the filter and rate limit information.

Pushback simply moves the problem (3, Interesting)

The Moving Shadow (603653) | more than 11 years ago | (#4541305)

While Pushback technology can help the servers to stay online, they literally push the network load off to another branch of the network where it can congest normal networkconnections. For important servers like the nameservers that have been attacked last week - where they (btw) used a similar technique of pushing requests e.g. network data off to another part of the network - this is a good method. But you run the risk of creating congestion somewhere else on the network. So people working upstream from the attacked server will probably suffer from poor accesibility. It's just a choice what you want to sacrifice, either the targetted servers or the people upstream. But i agree this technology is a step forward towards an appropriate security answer to DDOS attacks.

A perfect tool for doing DDoS.... (2, Insightful)

wuchang (524603) | more than 11 years ago | (#4541326)

The paper talks about pushback filters based on destination-IP based address filters. Consider a DDoS attack on a popular site such as slashdot. Pushback will affect EVERYBODY, not just the unpatched zombies. If exploited correctly, this makes for a perfect tool for the hacker to obtain a 100% denial. This is an arms race, we can't afford to give hackers our nukes, unless we make sure they can't be used against us.

You're still putting daemons in /etc? (0, Troll)

your f*cking mother (610978) | more than 11 years ago | (#4541341)

Come on, kids. It's not the 80s anymore (though, I'm willing to bet the guys at AT&T Research labs aren't kids, and they actually might remember when /etc was the best place to put those things... but it's not anymore... especially not on freebsd!

Um, this isn't new. (5, Interesting)

Mordant (138460) | more than 11 years ago | (#4541344)

Bellovin came out with this a while ago. It's an interesting concept, but has the following practical drawbacks:

1. All the various vendors would have to implement it.

2. False positives. A new form of DoS would be to generate enough spoofed traffic to trigger this sort of thing -aimed at someone else-. Imagine your outrage when your l33t IRC buddies spoof your IP address block whilst attacking www.slashdot.com - no more imbecilic, outdated "Gee, whiz!" types of posts for you to read.

3. Oftentimes, rate-limiting via CAR, traffic shaping, or other methods consumes more CPU cycles on the routers than simply blocking the offending traffic (assuming this is possible, which depends upon the attack methodology).

The best way to combat DoS attacks generally is use strong platforms which process ACLs and other features in hardware (ensuring that your config allows those features to be processed in hardware; logging ACLs like a 'deny ip any any log' just won't cut it, these days), ensure you have the ability to 'draw off the poison' by sinkholing traffic headed for the destination by advertising a null route for it on a sinkhole router (this isn't always possible, it depends upon the target of the attck; you may not want to sinkhole all requests to your Web server, for example), ensure you have as good a traffic sniffing/IDS-type capability as possible, make use of Netflow tools like CAIDA cflowd/OSU flow-tools/Flowscan/Panoptiis/FLAVIO/Arbor Networks' Peakflow DoS, and know how to get in touch with the folks at your ISP(s) who can help with identifying the (even spoofed, via Netflow tracing) sources and blocking the offending traffic upstream of you.

If you're a commercial site, strongly consider a distributed Web site, hosted at different locations and using some sort of Global Server Load Balancing technology (GSLB; Cisco's Distributed Director and 4480 are two examples of this) to send people to different sites depending up their location, network topology-wise.

Re:Um, this isn't new. (0)

sh2kwave (310977) | more than 11 years ago | (#4541419)

what about the more obvious of just blocking on a timed basis the attacking's MAC , this is unique and would force the offender to change there NIC.
This should in some form upgrade the time of the block based on the the continuing offense of the target's time spent attacking.
This would have to be implimented on a network of routers being a drawback but could most proably be a software upgrade and not a massive hardware one.

I wonder when... (1)

Gerald (9696) | more than 11 years ago | (#4541356)

"The authors of the paper have an initial implementation on FreeBSD."

I wonder when the LinPushbackd, GNU Pushbackd and PHPMyPushbackd projects will appear on SF.

ipv6 (1)

fluor2 (242824) | more than 11 years ago | (#4541382)

Doesn't IPv6 fix this? IPv6 NOW! [ipv6.org] .

Re:ipv6 (2)

Subcarrier (262294) | more than 11 years ago | (#4541447)

Doesn't IPv6 fix this?

No. IPv6 improves a lot of things but it doesn't fix this. Sorry.

why waste energy on this instead of going ipv6? (0, Redundant)

O0o0Oblubb!O0o0O (526718) | more than 11 years ago | (#4541401)

excuse me if I'm wrong, but my understanding of the matter was, that source address spoofing etc. would be gone, once ipv6 is widely used. asfaik, ipv6 would prevent lots of techniques in this context, so why waste lots of emergy/work on this, instead of actually getting people to switch to ipv6.

ipv6 has been around for some time now and is implemented in every major os (both client and server). I know that the switch to ipv6 is a big task, but the way I understand it, it would also deal with a lot of problems (including to a certain extent ddos) in context with ipv4.

please correct me if I'm wrong.

Forged Headers? (2)

nurb432 (527695) | more than 11 years ago | (#4541410)

If they forge the send from info wouldnt that make this idea sort of useless?

Might even reverseDOS innocent people.. id be pretty upset if that happened to me.. I might even sue if i lost revenue..

finally... a cure for Slashdotting... (5, Funny)

constantnormal (512494) | more than 11 years ago | (#4541464)

in a press release by the Office of Homeland Defense, it was announced that an insidious plot by hacker terrorists had been thwarted. It seems that this subversive web site, www.slashdot.org, would trigger random DDOS attacks on targets identified on their web site. It has yet to be ascertained what their intent was, as no logical pattern has been detected. The investigation continues.

Welcome to the Twilight Zone.
I certainly hope the filters used to detect true DDOS attacks are effective enough to prevent this scenario.

Re:finally... a cure for Slashdotting... (0)

Anonymous Coward | more than 11 years ago | (#4541557)

It has yet to be ascertained what their intent was, as no logical pattern has been detected

I thought Jon Katz had stopped submitting stories ...

Criticism, improvement and easy testing! (2, Informative)

bigberk (547360) | more than 11 years ago | (#4541495)

Criticism: By giving smaller routers the power to command the behaviour of larger routers upstream, you are dangerously opening up a loophole that could allow someone in control of a router to maliciously affect upstream behaviour (potentially a huge scope!).

Improvement: Only allow routers to pushback/command up one or two hops to limit the scope of potential reverse-DoS attacks.

Easy testing: This doesn't refer to the above issue, but still... have AT&T set up a test site running their BSD implementation and then post a story to slashdot to have us test it out :)

Good concept, won't work long? (1)

tuxlove (316502) | more than 11 years ago | (#4541532)

My firewall blocks all incoming ICMP except a few select types. Quench is not one of them. It could conceivably be used against you, so I block it. Why wouldn't the guys who write the scripts for the kiddies make changes to their code so that zombie machines ignore source quench ICMP?

I'm not sure how effective source quench is against routers in the path of a zombie host.

Heh heh (2, Interesting)

tuxlove (316502) | more than 11 years ago | (#4541548)

What if the script kiddies attacked their targets with loads of source quench packets? Can you source quench a source quench attack? :)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...