Evaluate the method of countering DDoS

D

Disasm2010-11-20 17:51:38

Computer networks

Disasm, 2010-11-20 17:51:38

In short: there is a network of a large number of computers (it is assumed that ordinary user computers) with white IP addresses and free port 80, which are connected in a network with a tree structure. From this set of computers, some "edge" computers are selected, which in this case are the leaves of the tree, and their IP addresses are set as A-records of the domain of the attacked site, and only the root computer knows the real IP address of the site. Communication goes along the chain client-list-intermediate_computers-root-server Computers can somehow detect some types of attacks and prevent such requests from being passed further to the root of the tree, and, accordingly, to the protected server.

What are the disadvantages of such an architecture? Does she have any prospects at all?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

Sergey, 2010-11-20
@bondbig

how do you plan to remove disabled/unavailable stations from A-records?
In general, nothing new, this is how many DDoS protection systems work, only not on desktops, but on several data centers in different countries, entry points are smeared (smeared either using BGP, or DNS, or both together), then cleaned traffic is transmitted to the protected server either inside the GRE tunnel or proxied. As a result, the botnet does not know the IP of the server, but only the IP of anti-ddosers.

S

stel, 2010-11-20
@stel

Well, if “computers are somehow” taught to detect attacks, then this approach can help with a DoS attack, but not with DDoS. And in general, everything that you have outlined can be implemented more easily with the help of even netfilter in niks. I think the A-record idea is too much...

A

amarao, 2010-11-20
@amarao

And how can this thing withstand ddos at 10-15 Gb / s? It is necessary to distinguish between attacks of the type "evil, bad requests" and stupid flood.