Answer the question
In order to leave comments, you need to log in
Evaluate the method of countering DDoS
In short: there is a network of a large number of computers (it is assumed that ordinary user computers) with white IP addresses and free port 80, which are connected in a network with a tree structure. From this set of computers, some "edge" computers are selected, which in this case are the leaves of the tree, and their IP addresses are set as A-records of the domain of the attacked site, and only the root computer knows the real IP address of the site. Communication goes along the chain client-list-intermediate_computers-root-server Computers can somehow detect some types of attacks and prevent such requests from being passed further to the root of the tree, and, accordingly, to the protected server.
What are the disadvantages of such an architecture? Does she have any prospects at all?
Answer the question
In order to leave comments, you need to log in
how do you plan to remove disabled/unavailable stations from A-records?
In general, nothing new, this is how many DDoS protection systems work, only not on desktops, but on several data centers in different countries, entry points are smeared (smeared either using BGP, or DNS, or both together), then cleaned traffic is transmitted to the protected server either inside the GRE tunnel or proxied. As a result, the botnet does not know the IP of the server, but only the IP of anti-ddosers.
Well, if “computers are somehow” taught to detect attacks, then this approach can help with a DoS attack, but not with DDoS. And in general, everything that you have outlined can be implemented more easily with the help of even netfilter in niks. I think the A-record idea is too much...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question