Dear Mister Jain,
Thank you for your reply.
You are speaking about EDoS (Economic Denial of Sustainability). Please
see the following article :
http://www.rationalsurvivability.com/blog/?s=EDos
Consider a new take on an old problem based on ecommerce: Click-fraud. I
frame this new embodiment as something called EDoS — economic denial of
sustainability. Distributed Denial of Service (DDoS) attacks are blunt
force trauma. The goal, regardless of motive, is to overwhelm
infrastructure and remove from service a networked target by employing a
distributed number of attackers. An example of DDoS is where a
traditional botnet is activated to swarm/overwhelm an Internet connected
website using an asynchronous attack which makes the site unavailable
due to an exhaustion of resources (compute, network, or storage.)
EDoS attacks, however, are death by a thousand cuts. EDoS can also
utilize distributed attack sources as well as single entities, but works
by making legitimate web requests at volumes that may appear to be
“normal” but are done so to drive compute, network, and storage utility
billings in a cloud model abnormally high.
An example of EDoS as a variant of click fraud is where a botnet is
activated to visit a website whose income results from ecommerce
purchases. The requests are all legitimate but purchases are never made.
The vendor has to pay the cloud provider for increased elastic use of
resources but revenue is never recognized to offset them.
We have anti-DDoS capabilities today with tools that are quite mature.
DDoS is generally easy to spot given huge increases in traffic. EDoS
attacks are not necessarily easy to detect, because the instrumentation
and business logic is not present in most applications or stacks of
applications and infrastructure to provide the correlation between
“requests” and “ successful transactions.” In the example above,
increased requests may look like normal activity. Many customers do not
invest in this sort of integration and Cloud providers generally will
not have visibility into applications that they do not own.
Best Regards,
Guillaume FORTAINE
On 03/15/2010 06:04 PM, Deepak Jain wrote:
At first blush, I would say it's an interesting idea but won't actually resolve
anything of the scariest DDOS attacks we've seen. (Unless I've missed something
obvious about your doodle).
The advantage/disadvantage of 100,000+ host drone armies is that they don't actually
*have* to flood you, per se. 10 pps (or less) each and you are going to crush almost
everything without raising any alarms based on statistically significant patterns
especially based on IPs. Fully/properly formed HTTP port 80 requests to "/"
won't set of any alarms since each host is opening 1 or 2 connections and sending
keepalives after that. If you forcibly close the connection, it can wait 5 seconds or 15
minutes before it reopens, it doesn't really care. Anything that hits you faster than
that is certainly obnoxious, but MUCH easier to address simply because they are being
boring.
You *can* punt those requests that are all identical to
caches/proxies/IDS/Arbor/what have you and give higher priority to requests
that show some differences from them... but you are still mostly at the mercy
of serving them unless you *can* learn something about the
originator/flow/pattern -- which might get you into a state problem.
Where this might work is if you are a large network that only serves one sort
of customer and you'd rather block rogue behavior than serve it (at the risk of
upsetting your 1% type customers). This would work for that. Probably good at
stomping torrents and other things as well.
Best,
Deepak
-----Original Message-----
From: Guillaume FORTAINE [mailto:gforta...@live.com]
Sent: Monday, March 15, 2010 2:57 AM
To: nanog@nanog.org
Subject: Re: OBESEUS - A new type of DDOS protector
Dear Mister Wyble,
Thank you for your reply.
On 03/15/2010 07:00 AM, Charles N Wyble wrote:
The paper is pretty high level, and the software doesn't appear to be
available for download.
http://www.loud-fat-bloke.co.uk/obeseus.html
http://www.loud-fat-bloke.co.uk/tools/obeseusvB.tar.gz
So it's kinda theoretical.
"We have it running parallel with a commercial product and it detects
the following
attacks
▪ SYN floods
▪ RST floods
▪ ICMP floods
▪ General UDP floods
▪ General TCP floods"
Best Regards,
Guillaume FORTAINE
