On Thu, Sep 25, 2003 at 04:46:25PM -0600, John Fenley wrote
After hearing how sites relevant to the anti-spam effort have been
taken down by Ddos attacks, I started thinking about how to prevent
this from happening to Choicelist when I get it going (I have been
thinking like mad about how to protect it, and am getting close to
a finished program layout).
I think I figured it out.
Using Ipv6 the available address space expands amazingly. I could
easily have a billion addresses to my self. This would allow me
to have a different Ip address for each and every person who could
possibly connect to my system. I could assign each authorized user
an Ip and port, then if a connection came to a different port on
that Ip I could route all traffic to the great bit bucket in the
sky. This should reduce the effectiveness of a random Ddos attack
against my address space by around 60 thousand times.
I do not take pleasure in throwing cold water on enthusiatic idealists,
but your proposal won't work. The problem is that a DDOS doesn't attack
an IP address; rather, it attacks the ISP's bandwidth. And since all IP
addresses on the ISP share a common pipe, plugging the common pipe with
a DDOS attack blocks service for *ALL* IP addresses that the ISP has.
It doesn't matter if you get 1 IP address, 16,000 addresses in an entire
Class C, or a billion addresses under IPV6. If your ISP gets knocked
out, your 1 IP address is useless. Getting a billion addresses simply
means that you'll have a billion useless addresses. Somebody like AOL
has...
a) the resources to withstand attacks that would bring down smaller
networks
b) enough customers, importance, and financial clout, that if they
were taken down, the FBI/CIA/NSA and every other available US government
resource would be thrown into the effort to find the perpetrators.
Just to Sum up:
Use massive address space to hide from a Ddos attack.
Valid users could still connect.
It's not the sheer amount of address space, it's the diversity of
routes. E.g. businesses for whom down-time is financially unacceptable
use multi-homing, i.e. they have multiple T1's (or whatever) connected
via different routes and different ISPs. One of their ISPs can be
knocked out, and the website (or whatever) will keep functioning, with
possibly a slower response.
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg