On 8-feb-04, at 10:05, Suresh Ramasubramanian wrote:
Coming up with new types of probes all the time to check for this would be a huge amount of work.
Would that be any less work than clearing up the mess left by an infestation of DDoS zombies? :)
Apples and oranges. You need to clean up the zombies regardless of whether they succeeded in attacking the victim or they were stopped.
I favor an approach where people no longer get to send data at high speed without the recipient's approval. Just sending data in the blind or any type of scanning could then trigger a severe rate limit or raise an alarm.
It is fairly easy to work around rate limits by just scaling laterally, and compromising a few million more boxes. If the next virus grabs 4M, or 20M boxes instead of just a measly 2M boxes, you can rate limit all you like, bit it really won't help.
Help against what? You're right that if a million boxes send one 125 byte packet per second to the same place, that's still a gigabit worth of traffic, that particular place is going to receive a gigabit worth of traffic. But how are you going to infect a million boxes if you can only scan one address per second? And let's not be so blase assume that all DoS attacks are done with a million zombies at a time.