Carlo Wood wrote: > At the time I was developing the ircd of Undernet (at the time the > second largest IRC network), and script kiddies used to flood channels > by connecting large amounts of bots to a lot of (irc) servers which > then flooded a single user or channel. > > The user could not stop this: the flood was to big (exactly as you > describe is the case of "any single system" being ddossed).
As the Internet is a very large scaled-out herd of machines if they all turn their stampede to any single location it will definitely overwhelm it. It's the nature of things. The many are stronger than the few. When used for Good that is benficial. But when used for Bad then it's the opposite. > I added to the protocol a new command called "SILENCE", that > can be used with a mask. This command propagates towards whoever > matches and filters their messages at the source, hence no longer > loading the client-server connection of the victim, but also not > the server-server connections in between. Yes! In order to stop such attacks the mitigation must be made as far upstream as possible. This description of IRC and the mitigation would be very useful. > Once the script kiddies couldn't flood users and channels anymore > using the IRC protocol, they started to use ddos, to flood with > IP packets. This is why we did hide all hostnames and IP-numbers of > users. From that moment on, the script kiddies started to flood > the servers; which resulted in the IRC network to hide all HUBS, > so that they could only flood end-points, no longer taking down > the whole network. A typical situation. One thing is strengthened. This leaves another link in the chain as a weaker link. It is strengthened. Then the next weaker link in the chain is the problem. Eventually though the entire system is much stronger than before. > I've always been convinced that this development (by the IRC protocol > and servers) has been the trigger and start of botnets that ddos. Ha! It's possible. It's one of the premises of evolutionary theory. Anything that selects survival for a feature trait shapes what evolves from it in the future generations. > Hence, being an authority on the social and psychological background > of ddos - and how to stop it - when IPv6 was being developed, I emailed > them that this was a great opportunity to builtin the same capability > into ipv6 (or rather, that is was a must, as it was the only way to > make ddos a thing of the past). I am not an expert on IPv6. Though I do consider myself quite well versed with IPv4. There is a lot of negative transference of learning when moving from IPv4 to IPv6. Mostly because coming from the rationally designed IPv4 we expect IPv6 to be sane and rational too. But IPv6 is quite different in almost every aspect. This has caused IPv6 adoption to be slowed because one cannot easily transfer learning about IPv4 over to IPv6 and starting purely from IPv6 has few good training resources. > I guess they ignored me. So now we still have the same ddos problems > costing companies millions if not more. People are stupid. My experience with botnets and DDOS attacks so far is that most botnets are IPv4 only. This is probably due to the prevalence of IPv4 and the lack of widespread adoption yet of IPv6. In the recent and ongoing botnet onslaught there are millions of IPv4 bots but only around three thousand IPv6 bots. The summary here being that though IPv6 has great potential, for both good and bad, that so far it has hardly been utilized for either. As far as I can tell on a practical basis the main use and requirement of IPv6 is that many mobile phone operators only have IPv6 addresses to allocate to their phone clients. This means mobile phone clients on the Internet can use only IPv6 addressing. Most of the use will be for HTTP web traffic browsing web sites. This means that ALL web servers MUST have IPv6 addresses available for mobile phone clients or they will be unable to connect. That is at this time still only a subset of all Internet traffic. > So no, apparently it doesn't exist. Ah, well, thanks for the clarification! :-) Bob
