What about a "we're ignoring this person, so you may as well block them" service (DDOS protection?)


Was just struck by this idea. Imagine for a moment that you publish a key in your DNS records which holds a "banning key" (a public-key certificate). Now, when you are writing software to deal with a DDOS, you record the IP addresses which are unambiguously participating in the attack (that's the annoying part with certain attacks, but with the lower-level ones it's pretty easy).

Now, with some fancy whois-database query or other (insert magic here) you automatically retrieve the chain of ISPs between yourself and the infected/attacking machine. You send to each of these a signed message asking the ISP to block packets from the given IP going to your IP for X period.

Biggest problem is likely going to be memory; even assuming that only good people use the system to block computers involved in DDOS-ing, there's more than a million of those (likely far, far more), so really big ISPs (backbone carriers) might wind up with almost every infected machine on the internet sitting in a big table.

However, I wouldn't expect the backbone carriers to offer this service on the backbone, though they might offer it in their regional customer centres. The idea here is that you'd configure your service to only pay attention to (source) IPs you control or have control over. Since we're dealing primarily with infected consumer machines, you want to implement at just the few levels above the consumer machines (a few levels to catch cases where ISPs are laggards and haven't yet implemented this scheme (what are they waiting for)). This should make the number of records required to implement the scheme grow with the size of customer base, the number of infected machines in that base, and the number of sites they are attacking... which is probably a best-case scenario.

Need to be sure the DNS-based verification of the sig works in the middle of a DDOS. Hmm, also need to watch out of spoofing done by registering a domain, then pointing your DNS server at someone else's IP... which I think is possible...

Anywho, just a thought.

Comments

Comments are closed.

Pingbacks

Pingbacks are closed.