undefined | Better HN

0 pointsbrongondwana9y ago0 comments

Seriously? It's OK if only one site/company gets taken offline at a time?

There's no RFC that talks about methods for preventing or mitigating hundreds of thousands of machines all sending arbitrary traffic at you at the same time.

The only way to protect yourself from that sort of attack is to buy filtering from someone who has a bigger pipe than the largest DDoS available, and have them filter the packets so that you only get clean traffic. Unless you know of an alternative that nobody else has heard of yet.

So you wind up buying transit / scrubbing from one of a few big providers, because that's the only way to avoid being sniped by DDoSers.

0 comments

gtrubetskoy9y ago

> There's no RFC that talks about methods for preventing or mitigating hundreds of thousands of machines all sending arbitrary traffic at you at the same time.

The RFCs generally say that the problem is "you", i.e. the target. Of course those device makers could make their devices a little more secure, can't argue with that, it's another form of complacency. Still - the attackers are only able to do this because their targets are few.

If there were thousands of DNS providers such as Dyn each serving a small number of clients spread all over the world, it'd be impossible to attack them all.

To cause maximum damage you need to identify hosts that are common across many big companies. Someone did their homework and figured out that lots of companies are using Dyn for DNS, and for the East Coast of the US this is just a handful of servers. If the same DNS services were spread across 1000 servers, then the attackers would need proportionally more "power" to knock them out. DDos-ing 10 boxes is _so_ much easier than 1000 (approximately 100 times easier, to be precise).

j / k navigate · click thread line to collapse