[MUD-Dev] DDoS

Matthew D. Fuller fullermd at over-yonder.net
Mon Apr 17 23:32:16 CEST 2000


On Mon, Apr 17, 2000 at 05:09:34PM +0200 I heard the voice of
Ola Fosheim Grøstad, and lo! it spake thus:
> 
> I'm personally not very pragmatic when it comes to networks as I don't
> have to deal with any admin aspect of them (yet).  What interests me
> (beyond what MUD admins/designers actually experience/worries about) is
> the design implications DDoS type attacks has for a MUD design. For
> instance, how flexible are the filtering capabilites of routers. Can I
> slack my own (server software) "defences" and leave certain things to
> say the router?  Can I make my system more robust by choosing a
> particular strategy (like using a particular topology in a distributed
> system)?
> 
...
>
> I'd like to see some ideas on how to make DDoS less effective. If
> scaling up (the attack) is what kills you, then maybe scaling up (the
> number of nodes) is what will save you? (if done right)

One thing to bear in mind is exactly what they're DoS'ing.

The apparent motion of most of the 'popular' DoS attacks now is to attack
your connectivity; in fact, that's the main point of the distributed DoS
family; it doesn't effect (in the case of the Yahoo attack) their
webservers save minutely, it just annihilates their bandwidth.  There's
nothing you as the server can do about it, because by the time it gets
to you it's too late.  If you have a reasonably robust server, it's
unlikely to have a direct effect on it, but you're left with little to
no pipe to the net at large, which is the damage.  To really fix that,
it has to be blocked at every step along the way, because even if you
block it out at your router, it's already eaten the whole pipe between
you and your upstream.  Note also that the largest of these still require
a good bit of effort to implement, and a modicum of risk; thus, you're
unlikely to get hit by something like the more publicized recent attacks
unless you're rather high profile, like eBay and Yahoo are.

The set of DoS'en that attack particular servers are (IMHO) somewhat
smaller, and far less spectacular.  These don't damage by stopping the
connection, they damage by stopping the server from working, generally
through either flooding or malformed input.  The second problem can be
solved by proper error checking, the first by making the system efficient
enough (or with proper rate-limiting and other such features) to make it
essentially impossible to 'overload' it.



--
Matthew Fuller     (MF4839)     |    fullermd at over-yonder.net
Unix Systems Administrator      |    fullermd at futuresouth.com
Specializing in FreeBSD         |    http://www.over-yonder.net/

"The only reason I'm burning my candle at both ends, is because I
      haven't figured out how to light the middle yet"



_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
http://www.kanga.nu/lists/listinfo/mud-dev



More information about the mud-dev-archive mailing list