On Wed, May 15, 2002 at 12:14:35AM -0600, Pete Kruckenberg wrote:
These might apply to noticeable DoS attacks that occur as specific events. But how much (D)DoS traffic goes unnoticed by the average customer because it's too tough to detect or defend against? The 10% I've measured on my network is primarily reflected DDoS (reflected off my customers, to off-net targets), which is not trivial to detect or defend against.
It all depends on the networks involved. I'd venture to say that most people not associated with university networks see significantly less DoS, more like 1% of overall traffic for service providers and probably closer to 0% for end users who aren't IRCing. At any rate, you are also in the very special case of being the one used to do the attacks rather than the one being attacked. Again, you really have to have university networks involved to see those numbers. In non DDoS cases, particularly your classic bandwidth floods, the source feels the attack as badly as the victim. That is less the case today, with targetted attacks (your network MAY fall over routing 100kpps, but it is far more likely to fall over if those 100kpps are directed at your routers) and DDoS reducing the amount of power that any given source must use. Remember that the original point of DDoS was to prevent the sources from noticing (and thus shutting down the compromised machines) by using 10 networks at 10% instead of 1 at 100%. Today, you often see targetted high pps low bandwidth attacks which actually bring down traffic (these *are* supposed to be denial of service attacks after all :P) instead of raising it. But as for your case... Attacks directed at you and attacks directed from you are sometimes the same thing and sometimes different, and I think most people see money to be made in the former. Personally I would rather have to deal with the latter, because there is something I can easily do about it. For the sake of the rest of us, PLEASE go fix your network so that we don't have to deal with your attacks. I'm still recommending rate limiting your outbound RSTs either on the webservers themselves (which a good OS should do), or on the routers. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)