On 1/28/2011 2:07 PM, Gary Stanley wrote:
Bottom line is you cannot protect yourself against DDOS. Only thing you can do is hope you have more transit than the attackers.
That's partially true. With DDoS attacks that exceed your transit capacity, the link size does come into play. However, many DDoS attacks do not, and can still be effective in bringing down targets. The distributed UDP query DDoS attacks that many have seen lately are a good example of this, in that the application stops responding properly long before the line's capacity is exceeded. Similarly, SYN floods can be very small and still lead to resource exhaustion, as the OS on the target machine expends CPU cycles and dedicates memory to responding to each request.
With a DDoS attack that is less than the speed of transit links, filtering and other techniques often work well. For instance, simple iptables rules (as many have seen) can cut limit attacks based on per-source or per-destination rate, packet length, strings inside the packet, and so on. Similarly, SYN cookies work extremely well at countering SYN floods because they take memory out of the equation, allowing most modern machines to handle very large attacks (right up to near line rate). There's a solid market niche based around (expensive) DDoS-mitigation appliances that attempt to automatically detect inbound attacks and filter them, making the process relatively hands-off; these work best for tracked TCP traffic.
The real reason that game servers should switch to TCP queries is that doing so would cut down on *reflection* attacks. Having a simple spoofed UDP query packet that can result in a response that is several times as large makes it very easy to harness remote game servers in very large attacks -- without requiring a network of compromised machines, and without revealing the true source of the attack. This scenario has become quite common lately
-John _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
