[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Anti-DoS prevention [was Re: Comments on minion-spec.txt]

On Fri, 2003-05-16 at 22:51, Nick Mathewson wrote:
> So, I put your question back to you, and to the list: *are* these
> defenses up to the challenge?  What *other* filtering and MTA features
> do current remops use to prevent abuse and DoS?  We should definitely
> draw on the experiences of today's operator community, and not enter the
> arms race undermatched.

We need untracable electronic cash to use as postage stamps.

If you're using TCP, you can limit the total number of connections from
a single address and throttle communications to prevent DoS from a
single host. This could even be done on a /24 basis or whatever to
mitigate attacks from a single LAN. DDoS is a little more difficult to
prevent. It seems like it will probably always be possible to degrade
service if the attacker has control of a sufficient number of hosts on
different networks. I think the best thing to do is to try to degrade as
gracefully as possible under high load.

If this helped you, please take the time to rate the value of this post:

Attachment: signature.asc
Description: This is a digitally signed message part