Re: Anti-DoS prevention [was Re: Comments on minion-spec.txt]

[Adam Back <adam@cypherspace.org>]

I'm not sure how effective or safe IP based blocking is likely to be:

- the attacker can use multiple remailers to create a flood which can
all be targetted to exit at the same remailer if desired

- if you throttle IP address at entry you risk damaging availability
for users behind large proxies (ie say earthlink or similar large ISP
has all their users look like the same IP or /24 or whatever -- normal
traffic from that IP will be far in excess of a single non-natted
dynamic IP user)

I don't currently run a remailer, but I used to, and the only problems
with flooding I saw was when people would flood newsgroups,
escpecially a.p.a-s.  The typical remop response to that was to filter
out the flood based on content after it was noticed (if the remop was
also a reader of the target group) or if someone complained.

I never had an individual complain of receipt of flooding.  I never
noticed an input flood that I noticed.  But then input floods are hard
to notice when you don't keep logs.  So all I can really say about not
noticing an input flood was that volume was relatively constant.


As the worst flooding related issues were newsgroup output, it's
difficult to automate defenses against this.  I say this because the
threshold for a flood to be a nuisance in a newsgroup in my opinion is
a lot lower than for it to be a problem to users.  And the volume is
low compared to legitmate message volume -- ie a single large message
can easily and legitimately consume more message fragments than a
significant newsgroup flood.

I also suspecting psychologically that there is limited interest in
flooding users because the flooder enjoys watching the arguments and
complaints on the newsgroup and he won't get those via a
(non-replyable) flood to an individual.

There were some experiments with using hashcash to throttle USENET
posting with some kind of policy implemented at a mail2news gateway
(so not directly a remailer, but not all mixmaster nodes can post to
news so m2n gateways are frequently used).  However I'm not sure (for
the reasons given above) that hashcash could reasonaby control
flooding of newsgroups without unduly inconveniencing regular users.

Adam

On Fri, May 16, 2003 at 11:16:37PM -0700, Sean R. Lynch wrote:
> On Fri, 2003-05-16 at 22:51, Nick Mathewson wrote:
> > So, I put your question back to you, and to the list: *are* these
> > defenses up to the challenge?  What *other* filtering and MTA features
> > do current remops use to prevent abuse and DoS?  We should definitely
> > draw on the experiences of today's operator community, and not enter the
> > arms race undermatched.
> 
> We need untracable electronic cash to use as postage stamps.
> 
> If you're using TCP, you can limit the total number of connections from
> a single address and throttle communications to prevent DoS from a
> single host. This could even be done on a /24 basis or whatever to
> mitigate attacks from a single LAN. DDoS is a little more difficult to
> prevent. It seems like it will probably always be possible to degrade
> service if the attacker has control of a sufficient number of hosts on
> different networks. I think the best thing to do is to try to degrade as
> gracefully as possible under high load.
> 
> -- 
> If this helped you, please take the time to rate the value of this post:
> <http://svcs.affero.net/rm.php?r=kg6cvv>