On 19/10/10 21:34, Maxim Veksler wrote:
Follow up question:
ICMP can be used for DoS. Cool.
First, let's distinguish between a DoS attack and a DDoS attack.
Denial of Service is when there is a bug in the victim's machine, which
I can exploit in order to take it out. Send an IP packet to unpatched
Windows 98 which is a fragment with large offset (close to the 64KB
limit on IP packets), and a size that takes it over that limit, and the
machine will blue screen within a couple of seconds. Since the original
attack used ping packets to do this, this attack is called "ping of
death". All the attacker had to do was send a single packet.
Distributed Denial of Service, on the other hand, does not require any
bug in the OS at all. It means that the attacker has gathered enough raw
power in order to flood the machine with more traffic than it can
handle. DDoS can be used against any host, given enough attacking
machines (which are, of course, hacked zombies), provided any free path
in through the firewall. In fact, most DDoS attacks I've seen have not
even reached the host, instead taking out routers on the way to the
host. Typically the router for the last network, but on one occasion the
ISP's peer routers to the upstream provider abroad.
How does google battle with that? All google services are ping'able
(which is very cool obviously).
See below for why "ping" isn't an issue. Google battles DDoS by having
many many many servers, distributed geographically. The attackers, thus,
do not have enough raw power to overcome Google. In fact, Google's
legitimate traffic is, probably, so high, that the best botnet cannot
raise that by over a few percents (few - up to 100%). Compare this with
the typical DDoS, that raises the amount of traffic by millions of
percents, and you see why Google are hard to attack.
How do they protect against the attack?, surly there are enough script
kiddies that constantly try to DoS Google.
The question is a bit naive.
ICMP echo request is no different than any other non-filtered packet.
Since your server is on line, you have to allow some traffic through,
and an attacker can always choose that as the basis for her DDoS. In
fact, given Google's setup, attacking through ping is more than silly.
ICMP echo requests are very easy for the machine to handle, and can be
blocked on an ad-hock basis without disrupting Google's main service.
If the attacker were to send TCP SYN packets on port 80, on the other
hand, these are small (about 44-60 bytes, depending on the type of OS
you want to pretend they come from), unfilterable (look identical to the
legitimate traffic), and require a lot of actions on the server side
(set up a TCP socket, decide what the reply sequence number should be,
parse all of the TCP options). If I were an attacker, I wouldn't bother
with a ping flood where a SYN flood would work so much better, which
might explain why Google doesn't bother with a ping flood either.
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
