After hearing how sites relevant to the anti-spam effort have been taken
down by Ddos attacks, I started thinking about how to prevent this from
happening to Choicelist when I get it going (I have been thinking like mad
about how to protect it, and am getting close to a finished program layout).
I think I figured it out.
Using Ipv6 the available address space expands amazingly. I could easily
have a billion addresses to my self. This would allow me to have a different
Ip address for each and every person who could possibly connect to my
system. I could assign each authorized user an Ip and port, then if a
connection came to a different port on that Ip I could route all traffic to
the great bit bucket in the sky. This should reduce the effectiveness of a
random Ddos attack against my address space by around 60 thousand times.
If a person connects to the correct Ip, I can demand a 1k password before
sending any confirmation of an open connection. This would further reduce
the effectiveness of a Ddos to almost Zero because there is no way to know
if a packet is consuming resources other than at the connection border, as
even a valid connection would not give confirmation unless a valid 1k packet
was recieved.
If 1 of the valid ip + port combinations is getting hit, you can just ignore
that Ip + port too, and the only user you have cut off from the system is
the user who let that info slip.
With a system like this in place, a Ddos attack would have to be EXTREMELY
huge in order to effect the end servers. This should prove to be enough of a
deterrent that a Ddos attack wouldn't be worth the effort to carry it out.
Just a thought...
John Fenley
Just to Sum up:
Use massive address space to hide from a Ddos attack.
Valid users could still connect.
_________________________________________________________________
Add MSN 8 Internet Software to your existing Internet access and enjoy
patented spam protection and more. Sign up now!
http://join.msn.com/?page=dept/byoa
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg