On Fri, Apr 20, 2001 at 01:11:14PM -0400, Greg A. Woods wrote:
The difference with most DDoS attacks is that they have one or a very few "targets" (i.e. one host, or one subnet which equals one port on a router, etc.). Those types of DDoS attacks are damaging to everyone's perception of how a network is performing because they present a radically unbalanced flow, or small set of flows, against the normal traffic distribution. The result is that lots of little connections get pushed aside, and too many packets over all get dropped. Obviously the DDoS attacker doesn't really care if all his data gets through -- he's more than happy to have it mostly all end up in the bit bucket just so long as he's causing other flows to end up there too. In the real world
Actually, making it to the target is precisely the point of a DDoS. If an attacker fires off a single machine's 100Mbit worth of attack, it's more likely to kill a single ds3 peer somewhere along the way then to make it to the target (and in the process piss off all the people who were trying to use that link, but not necessarily the people trying to use the target, the exact opposite of their goals). If on the other hand, the attacker fires off 100 1Mbit syn floods from diverse network locations, it's more likely to a) go unnoticed by 99 of those source sites, b) reach the target or as close to the target's last bottleneck as possible, and c) only affect the victim and not the intermediate networks in between.
a paying customer will be using TCP or some such protocol which will flow control itself if there's not enough available capacity to run at full speed (or heaven forbid if there's loss that can't be avoided by flow control). So, no matter how big my pipe, and how many or few TCP connections I try to push/pull through it, I cannot create a burst that will affect other customers in any long-term significant fashion, especially if all the other customers also have the same size pipe.
That is absolutily not the case. You may have no problem self-regulating a few TCP sessions ftp'ing some files while ssh'ing on a 10Mbit network, but when you have many thousands or hundreds of thousands of TCP flows on an internet backbone, the link will quickly suffer from the combined window-probing and packet loss backoffs effects of all those flows. Don't forget all that web traffic with all the flow start and stops, and the humans clicking refresh which is not self regulating at all... The internet does not behave like a linksys hub-based network... Having more flows is sortof like having a TCP which doesn't back off quite as easily (for those of you running an open source operating system, go see what happens if you tune some of the retransmit settings so you aren't quite as friendly as everyone else)... DDoS doesn't back off either... :P The only way you can compete under these conditions is if you have a transport protocol which doesn't take packet loss for an answer, and you are willing to have a bandwidth free-for-all (obviously this is completely self destructive when applied to the internet)...
Who sets up what?!?!?!? Show me a real-world example of how somone can cause distruptive peaks of normal traffic and not get billed for them, and also not end up paying more than they would have paid if they'd simply played fairly. Alex Pilsov's example scenario is about the only
See my previous email regarding monthly backups... It's not that uncommon among ecommerce people with multiple locations...
Maybe the industry will eventually find that 95 is a bad number and it really has to be 96, or even 98. All I know is that if you're selling ethernet, or even high-speed SDSL, you cannot fairly bill at the 100'th percentile of peak bandwidth usage. Any user stupid enough to sign a deal based on 100'th percentile peak bandwidth usage (when buying a pipe much fatter than they require) is probably getting taken to the cleaners and obviously doesn't understand now data moves on the Internet.
This is really a backwards scheme. If you use 20Mbit for 90% of the time, and then you use 80Mbit because you are slashdotted for 3 days or something, your maximium rate is still 80Mbit... You've already paid for 27 days * 60Mbps = 17.5TB of unsent data outbound, and 30 days * 80Mbps = 26TB of unreceived data inbound. It has an advantage for the provider of motivating the customer not to burst their traffic (and thus making their network more predictable), but if you are in the business to encourage your customers NOT to use the internet then what is the point. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)