2010/1/12 James Holderness <[email protected]>: > On Jan 12, 12:52 pm, Blaine Cook <[email protected]> wrote: >> How is this scenario at all different than any random DoS attack >> (intentional or unintentional)? Anyone can flood any HTTP endpoint >> they choose with requests; > > The difference is that most people can't just perform a DoS attack > directly. If I were to try and flood someone's server from my home DSL > account, I wouldn't have much success - I would run out of bandwidth > long before they did. Which is why an attacker typically relies on a > network of compromised machines to do the attacking for them. > > And if I were to inform someone that their machine was compromised and > was being used as a source of DoS attacks, I would expect them to try > and do something about it. But that's what a PuSH hub is in many ways > - the equivalent of a high-bandwidth, compromised machine. Yet you > don't seem to think that's a problem.
Not at all. See the comparison to SMTP (which again, works fine in real deployments at scales of billions of users sending and receiving trillions of messages with an incredibly large number of malicious actors), and my comment regarding HTTP 503 responses. Also, consider that hubs are intentionally designed to be intelligent relays, with lots of logic to handle all sorts of edge cases, specifically so that subscribers and publishers don't have to. Your comparison of a hub to a decentralized DoS attack is a straw man – Google's hub will never send 100s or even 1000s of requests per second to a server that's returning 503s. If the code allows for the possibility today, and it happens even once, it will be fixed and won't happen again in the future. >> Lawsuits are not going to make denial of service attacks go away > > That's because the source of the attack is usually distributed across > a large number of compromised machines who are themselves victims - in > such a case a lawsuit isn't feasible. However, when the source is > easily identifiable as coming from one or two high-bandwidth hubs > belonging to a company with a lot of money, the idea of a lawsuit > starts to look like a reasonable way to recover damages. However, adding a light-weight firewall or employing DoS mitigation strategies is both cheaper and more effective, particularly on the internet where legal jurisdiction is an incredibly complicated matter. b.
