[MUD-Dev] DDoS

J C Lawrence claw at kanga.nu
Sun Apr 16 22:34:31 CEST 2000 

On Wed, 12 Apr 2000 18:19:05 +0000 (GMT) 
Matthew Mihaly <the_logos at achaea.com> wrote:

> I live in fear of such a thing. We have no plan on how to deal
> with it either. 

Marcus Ranum, a very early dinosaur of the MUD world and author
UnterMUD/UberMUD and other bits now well known a security guy (and
not a bad photographer).  Some of you may know him as the author of
the TIS Firewall Toolkit or "TISGate".  While I don't always agree
with him in details or application on security concerns, I've always
agreed with him in principle.  At his web site he has quite a good
collection of writings and documents on security related areas and,
more usefully, how to think about those areas intelligently and with
a correct sense of proportion:

  http://www.clark.net/pub/mjr/

> If they can bring down major internet sites, they can bring us
> down.

The DoS attacks thet were recently run against Ebay etc were unusual
in that no mass volumes of traffic came from any one address, and
the address list of the attacking sites changed with some frequency.
Thus it was that none of the adaptive filters, which were written
for single-source attacks were in a position to compensate.

There are better adaptive rules going about now.  I wouldn't say a
whole LOT better, but better.

The problem, as always, is determining a pattern which matches the
Bad Guys without catching too many Good Guys, _and_ without costing
too much in terms of process overhead, performance, or $$$.  When
you have an attacker who is deliberately and carefully attempting to
hide himself behind many sources (an odd form of reverse
steganography in a way) this can be very difficult.

There are some defense responses which require hands-on decision
making and implementation at the time.  This is often one.  Your ISP
should be far more than willing to help with this however (ie
pounding on your door) as that traffic will not only be killing you,
it will be killing their network and all their other fee paying
customers.

As always, select your ISP with care and then watch them.  They, and
their technical staff, are not created equal and _do_ change over
time.

--
J C Lawrence                                 Home: claw at kanga.nu
----------(*)                              Other: coder at kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--


_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
http://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list