Tin soldiers

In the past few days, one of my favourite technews haunts, Neowin.net, was DDoS’ed to oblivion. By a 13-year old script kiddie with a grudge. Only on the Internet can mosquitoes carry rocket launchers.

There are ways to prevent DDoS attacks, although none of them are 100% effective and the seriously good gear cost a lot of money.

But yes, you can using a intrusion detection system (IDS) in front of a stateful firewall to minimize the impact. These kinds of hardware can scan incoming packets and find malicious traffic patterns (pingstorms, DDoS, spoofs) and then drop the packets.

The problem here is that stopping DDoS attacks is like trying to prevent a leaky ship from sinking – the bigger the flood, the bigger your pail has to be, and the faster you will have to bale.

While computer hardware is usually measured by million instructions per second, or MIPS, network hardware is measured in Kpps, or thousand packets per second. For example, a Cisco 3725 can process 70Kpps – considering an IP packet can be up to 1,518 bytes, that’s a respectable amount of packet processing power.

So with a big DDOS attack, you’ll need big packet buffers and fast CPUs on your IDS and firewall hardware. Some devices sport dual CPUs. The bigger the attack (i.e. more packets), the bigger and faster your hardware has to be, and the more expensive it gets.

So why doesn’t the FBI or police just swoop down and arrest all these punks? The answer is, too many idiots, not enough hours in a day. It’s like being the victim of a break-in. There are dozens of break-ins in a city in any given day, very few leads, and difficult to prosecute. Sadly, the same goes for DoS attacks.