| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 09 Mar 2010 10:12:24 -0500
From: Valdis.Kletnieks@...edu
To: Adrenalin <adrenalinup@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Ubisoft DDoS
On Tue, 09 Mar 2010 15:27:02 +0100, Adrenalin said:
> I'm just wondering, even if it's under DDoS, isn't it as easy to block as to
> collect the list of IP that send too much data, and just block them on the
> upper level ISP ?
You *do* realize that a *small* botnet these days is 75,000 machines, and
there's a estimated 140 million compromised zombie boxes out there? There's
very few boxes that can handle an inbound ACL of 75K entries sanely - usually
what ends up happening is the upstream drops all traffic *to* the target node
just so all the *other* boxes at the site still get some bandwidth.
And "sending too much data" is hard to quantify - if you have enough bots,
you can thoroughly DDoS a site using far *less* bandwidth per host than a
normal user does. If the site was designed to handle 10,000 clients each
sending 5 packets per second for 10 seconds during a login at game start,
it will likely fall over if you throw 100,000 bots at it, each sending
4 packets a second continuously...
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists