.-.
/v\ L I N U X
// \\ >Phear the Penguin<
/( )\
^^-^^
Ed
irnet.com> cc:
Subject: RE: [suse-security] IPSec system design questions (slightly OT)
30.06.2001
06:21
<snip>
The system will be immune to DoS attacks.
</snip>
There's no such thing as a system that is immune to DoS attacks.
Even when some links are definatley "fat pipes", and some ISPs "just add
another T1" if you experience a flood... Someone will have *far more*
bandwidth available than you or your ISP can ever dream of. Imagine someone
roots eight sites, each connected at 622Mbps. This makes up 4976mbps of
total bandwidth available, for the attacker. I think this amount of
bandwidth exceeds the total bandwidth available for some entire countries.
And that is not a worst-case scenario, since a DDoS attack with 8 sites
would be considered a minor attack, and could probably even be filtered by
some rather large top tier ISPs (if no spoofing is involved). Large attacks
can involve hunderds, even thousands of traffic sources, whereas it is
impossible to block them all, even for top tier ISPs.
And blocking is only feasible, if the blocking party can cope with the
amount of traffic being sent to it. Example: if my ISP has a total
bandwidth of 34mbps available, but some attacker constantly sends traffic
at a rate of 100mbps, then my ISP will not be able to withstand the attack
and it will be taken offline, because it's links will be saturated after
about 1/3 of a second. And as said, if the attacker chooses to spoof the
source addresses of theyr traffic, blocking would be impossible at all .The
only thing the ISP can do then is, remove your route from the internet. And
that's just the same as being DoSed, if you think about it.
Cheers & Correct me if Im wrong
Chr. Burri