Michael Richardson writes: > > Tero Kivinen <[email protected]> wrote: > > 3) Client can also be smartphone, i.e. device which have quite a lot of > > CPU power and/or memory, but does not want to use it as it would > > increase the power usage so much that the battery life will be > > shortened. > > Except that client being smartphone/etc. is behind NAT44, and along with > ten thousand other smartphones, all have the same IP address... this matters > because that scenario is probably indistinguishable from:
Good, as then we get rid of the NAT44... And then I woke up... Anyways, I would expect big CGNs to try to spread the clients over multiple different IP-addresses, instead of putting them all to single IP-address. There are lots of other things that gets banned by IP-address, so this kind of spreading is something they should do anyways. For example forums, games etc quite often ban specific IP-addresses for a while after certain bad events. I know that slashdot once banned our company IP-block because some people fetched their mainpage too often... > > 7) Botnets have huge amount of CPU power and lots of memory, but still > > limited number of distinguished IPv4-addresses or IPv6-prefixes (it > > might be millions, but most likely around thousands or tens of > > thousands IP-addresses). > > a situation where there is an enterprise of compromised systems behind > the enterprise firewall. (University lab networks come to mind...) In which case it is good thing that people start complaining to the helpdesk, which will start investigating the issue, and they find out they have botnet machines inside the network... I.e. it is almost impossible to protect against the attacks where the attacker is inside your own machine or located very close to you... > Further, the botnets don't need to present thousands of distinguished IPv4 > addresses, they can present a small number of attack nodes, spreading the > work across the botnet? You assume that the cost of puzzle would be meaningful for them so it would be useful to spread the work. I assume it will not be. Most likely the puzzles need to be something that the small devices can also solve, which means they are not that expensive for the real desktop machines. On the other hand if sending a single packet costs 1 unit of CPU power, and attacker has 10000 units of CPU power in his machine, that means he can send 10,000 packets per second out. If the puzzle requires 100 units of power, that means we reduced the attack speed down to 100 packets per second. For the SGW verification will most likely take something like 1 unit, so it can withstand attacks of 100 machines with same cpu power as it has. If the small device have 10 units of CPU power per second, that means it will take 10 seconds to solve the puzzle, but as I said the small device will most likely be able to cope with such long delay for connection, and it can still connect. Spreading the attacks to 1000 other machines does not really help as the network overhead to distribute the puzzles will get more expensive than solving the actual puzzle... Also the attacker will need lots of different IP-addresses as those it has used before will get blacklisted. There is also ways of using constant memory to store this kind of blacklists (http://en.wikipedia.org/wiki/Bloom_filter) which are already used for the graylisting and such mail servers to filter out requests by IP-addresses. > So this tells me that we are looking for puzzles which are *not* > parallelizable. I know little about this kind of stuff... If the puzzle is very expensive then yes, but if it just to raise the relative cost of the attacker to higher, then they most likely will not have reason to distribute it. Also the amount of unique source IP-addresses is much bigger problems to them than CPU power... > I suspect, however, that the simplest machines to DDoS will be the > smallest gateways. Of course. On the other hand the attackers have less interest to attack those. It does not really get to news when they tell that they DDoSed some persons home gateway. Most likely even if they tell that they DDoSed 10000 home gateways is not really news... Most of the users would not even notice this, they would just blame their ISP or vendor as the device is slow, and then they would reboot it :-) I would expect the attack to go against big enterprices, for example the power or phone companies. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
