Valid HTML 4.01 Transitional

Distributed Denial of Service Defense

James F. Carter <jimc@jfcarter.net>, 2016-11-10

On 2016-10-21 an unknown perpetrator for an unknown purpose utilized a botnet marshalled by the Mirai software to do a Distributed Denial of Service (DDoS) attack on dyn.com's DNS servers worldwide. Here are some web resources about the attack.

Although the sheer number of incoming packets can be a problem in a modern DDoS, the major issue is to not perform expensive services or use outgoing bandwidth (like sending a web page) for the bad guys: you want to just toss their packets. So how do you distinguish good from evil clients? After the attack has started you can look for common features of evil sendings, and put in a firewall rule that will do packet inspection and toss them. But my goal is to defend my own net, which requires the method to be generic and to work without a lot of handholding by the sysop.

This necessarily means that you need to cue on the source address of the incoming packets -- which for a lot of attack techniques might or must be spoofed. Spoofing is hard to detect at the victim end, but much easier at the source. But do source ISPs actually suppress spoofed source addresses?

I had a brainwave for a method how to resist and defend against a DDoS. The goal is to provide normal service to legitimate clients despite massive traffic from attacking bots. The basic plan is to use a fq_codel traffic control queue discipline (Fair Queuing with Controlled Delay), or possibly the hashlimit or recent firewall rules, to split up the packets by address. Then a limit is put on the rate of packets coming from particular IP addresses or address ranges. Clients that make connections at a modest rate are considered legitimate; those sending lots of packets get tossed. But this scheme has some problems.

Conclusion: This method is useless when the attackers spoof their source addresses (except for a reflector attack). But it could be useful to protect a webserver where the attacker has to actually interact with the server to do damage. Comparing the likelihood that I will be attacked (low) versus the amount of work needed to create the defense and the fraction of attacks that it will repel, I think it's not a good idea for me to go forward with this defense method.