On Mon, Dec 6, 2010 at 1:50 AM, Sean Donelan <sean@donelan.com> wrote:
February 2000 weren't the first DDOS attacks, but the attacks on multiple Other than buying lots of bandwidth and scrubber boxes, have any other DDOS attack vectors been stopped or rendered useless during the last decade?
Very little, no, and no. Not counting occasional application bugs that are quickly fixed. Even TCP weaknesses that can facilitate attack are still present in the protocol. New vectors and variations of those old vectors emerged since the 1990s. So there is an increase in the number of attack vectors to be concerned about, not a reduction. SYN and Smurf are Swords and spears after someone came up with atomic weaponry. The atomic weaponry named "bot net". Which is why there is less concern about the former types of single-real-origin-spoofed-source attacks. Botnet-based DDoS is just "Smurf" where amplification nodes are obtained by system compromise, instead of router misconfiguration, and a minor variation on the theme where the chain reaction is not started by sending spoofed ICMP ECHOs. Since 2005 there are new beasts such as "Slowloris" and "DNS Reflection". DNS Reflection attacks are a more direct successor to smurf; true smurf broadcast amplification points are rare today, diminishing returns for the attacker, trying to find the 5 or 6 misconfigured gateways out there, but that doesn't diminish the vector of spoofed small request large response attacks. Open DNS servers are everywhere. SYN attacks traditionally come from a small number of sources and rely on spoofing to attack limitations on available number of connection slots for success. New vectors that became most well-known in the late 90s utilize botnets, and an attacker can make full connections therefore requiring zero spoofing, negating the benefit of SYN cookies. In other words, SYN floods got supplanted by TCP_Connect floods. -- -JH