[lug] IP Tables

Nate Duehr nate at natetech.com
Mon Sep 24 23:40:30 MDT 2007


Sean Reifschneider wrote:
> On Mon, Sep 24, 2007 at 01:41:32PM -0600, Nate Duehr wrote:
>> If you have an asymmetric link to the Net, with an uplink speed lower 
>> than downlink (typical residential connection), the downlink side can 
> 
> Correct, but as originally stated it was impossible to tell if you were
> falling into the common misconception that blocking the traffic would
> prevent it from using the bandwidth.  You can only prevent line saturation
> if you implement dropping on the sending side of the link.

Ahhh yes.  (Or is that "DOH!")

I thought that was obvious.  Been doing this networking stuff too long, 
I guess.

Sean's saying... if they have a bigger pipe than you, they can ALWAYS 
stuff traffic down your little pipe and fill it.  You can't stop that.

Only your upstream ISP can.

There was a FASCINATING article a while back about a company in Phoenix 
that shunts away the effects of DDoS attacks where thousands of hacked 
"zombie" machines are used against corporations and/or other entities in 
cyber-crime.

They got into the business after the owners of an off-shore sports book 
came to them asking for help.  They'd been DDoS'ed a number of times and 
had been paying escalating ransoms to keep the attackers from turning 
the fire hose back on during critical gambling/sports betting times.

The sites were effectively being taken off-line anytime the attackers 
wanted to, by saturating their fiber going to/from the island.

The company in Phoenix bought MASSIVE bandwidth and had everything 
routed to them, then they'd strip off the attack packets, and forward on 
legitimate traffic to the companies under attack.  They also had some 
other tricks up their sleeves...

The story included threats to the sports book owners that their families 
would be kidnapped and held hostage, and requests for larger and larger 
ransom sums to be paid... it read like a made-for-TV movie, but was the 
real thing.

The phrase in the industry that covers DDoS massive attacks the best?

"He who dies with the most bandwidth -- wins."

I helped a customer survive a DDoS once, before anything like the 
massive bot-nets of today were available to the bad guys.

It wasn't pretty, and their load-balancer was definitely having a "bad 
hair day".

I only got involved because they claimed that our network was at fault. 
    It wasn't.  I knew that before I walked over an plugged in the 
packet sniffer.  :-)

Nate



More information about the LUG mailing list