Pages:
Author

Topic: CAPTCHA to mitigate DDoS attack? - page 2. (Read 3065 times)

legendary
Activity: 1050
Merit: 1002
April 22, 2013, 01:59:18 PM
#16
Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
That's not only "possible", it is precisely what is going on.
It is the very definition of DDoS.
And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol.
These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie.

Right. I'm used to looking at problems from the server level down, not the pipes. As I said earlier it seems the only real way to solve DDoS is take away botnets.

EDIT: To be pedantic, though, I wouldn't say the 'D' in DDoS is the very definition of clogging the network layer. DDoS AFAIK is the progression from DoS which didn't clog the network and was effectively mitigated with IP filtering. The more effective DDoS defeated that, and the network clogging seems an added benefit and problem.
You clearly missed your highlighted quote.
I am out of here.

I didn't miss it.

I'm saying the attack became distributed in response to IP filtering not in order to clog the network. Denial of Service originally attacked servers not the network. The defense then was to filter problematic IPs. So to get around that distributed IPs were used. This had the added benefit of clogging the network. So when you say the very definition of the 'd' for distributed is clogging the network I disagree; I say that became a welcome side effect when, as you highlight, the attack is large enough. That's my understanding of the topic anyway. It's admittedly not my area of expertise.
donator
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
April 22, 2013, 01:49:59 PM
#15
Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
That's not only "possible", it is precisely what is going on.
It is the very definition of DDoS.
And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol.
These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie.

Right. I'm used to looking at problems from the server level down, not the pipes. As I said earlier it seems the only real way to solve DDoS is take away botnets.

EDIT: To be pedantic, though, I wouldn't say the 'D' in DDoS is the very definition of clogging the network layer. DDoS AFAIK is the progression from DoS which didn't clog the network and was effectively mitigated with IP filtering. The more effective DDoS defeated that, and the network clogging seems an added benefit and problem.
You clearly missed your highlighted quote.
I am out of here.

Edit: evidently your understanding doesn't go that far.
legendary
Activity: 966
Merit: 1004
Keep it real
April 22, 2013, 01:39:42 PM
#14
what if the attacker just floods the server with random packets? there's no captcha for packets, and even if you're dropping them with a firewall, your link is still being saturated.

So you mean they're just DDoS'ing the server?
donator
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
April 22, 2013, 01:38:09 PM
#13
what if the attacker just floods the server with random packets? there's no captcha for packets, and even if you're dropping them with a firewall, your link is still being saturated.
That's what we've been saying all along.
Wtf
legendary
Activity: 2058
Merit: 1452
April 22, 2013, 01:36:48 PM
#12
what if the attacker just floods the server with random packets? there's no captcha for packets, and even if you're dropping them with a firewall, your link is still being saturated.
legendary
Activity: 1050
Merit: 1002
April 22, 2013, 01:33:49 PM
#11
Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
That's not only "possible", it is precisely what is going on.
It is the very definition of DDoS.
And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol.
These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie.

Right. I'm used to looking at problems from the server level down, not the pipes. As I said earlier it seems the only real way to solve DDoS is take away botnets.

EDIT: To be pedantic, though, I wouldn't say the 'D' in DDoS is the very definition of clogging the network layer. DDoS AFAIK is the progression from DoS which didn't clog the network and was effectively mitigated with IP filtering. The more effective DDoS defeated that, and the network clogging seems an added benefit and problem.
legendary
Activity: 1386
Merit: 1000
English <-> Portuguese translations
April 22, 2013, 01:26:18 PM
#10
This would kill bots, think about it.
donator
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
April 22, 2013, 01:24:14 PM
#9
Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
That's not only "possible", it is precisely what is going on.
It is the very definition of DDoS.
And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol.
These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie.
legendary
Activity: 1050
Merit: 1002
April 22, 2013, 01:06:43 PM
#8
Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
legendary
Activity: 966
Merit: 1004
Keep it real
April 22, 2013, 01:01:58 PM
#7
Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.
legendary
Activity: 1050
Merit: 1002
April 22, 2013, 01:01:10 PM
#6
Think about OSI model.

How does a model have anything to do with http access to system resources?
donator
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
April 22, 2013, 12:49:53 PM
#5
This is actually a great idea.

They could even separate their home page from the rest of the system so you could access the home page without a captcha but need to solve one for anything else (which might be more resource intensive).

This could help against application level DDoS but useless against attacks on lower levels.

What do you mean "lower levels"? You mean like remote DB access? Any impact on something like that would be solved by using local DB connection only. As for a file server that could require a valid session the same way an application would.

Think about OSI model.
legendary
Activity: 1050
Merit: 1002
April 22, 2013, 12:45:02 PM
#4
This is actually a great idea.

They could even separate their home page from the rest of the system (use a cache, etc.) so you could access the home page without a captcha but need to solve one for anything else (which might be more resource intensive).

This could help against application level DDoS but useless against attacks on lower levels.

What do you mean "lower levels"? You mean like remote DB access? Any impact on something like that would be solved by using local DB connection only. As for a file server that could require a valid session the same way an application would.

newbie
Activity: 58
Merit: 0
April 22, 2013, 05:26:21 AM
#3
This could help against application level DDoS but useless against attacks on lower levels.

Exactly. Without knowing how they fell, can't really suggest anything meaningful. I wonder whether they are willing to share more details on this DDOS.
legendary
Activity: 2142
Merit: 1010
Newbie
April 22, 2013, 05:19:24 AM
#2
This could help against application level DDoS but useless against attacks on lower levels.
newbie
Activity: 25
Merit: 0
April 22, 2013, 05:16:49 AM
#1
I was wondering if Mt.Gox could force all visitors to solve a Google hosted CAPTCHA before being able to access the website. It seems that the small annoyance of having to solve a CAPTCHA would outweigh the damage done by a DDoS. Logged in users and users who have previously solved a captcha should be exempt from the CAPTCHA requirement.

Would this even work? Would it be a good idea?
Pages:
Jump to: