olalonde (OP)
Newbie
Offline
Activity: 25
Merit: 0
|
|
April 22, 2013, 10:16:49 AM |
|
I was wondering if Mt.Gox could force all visitors to solve a Google hosted CAPTCHA before being able to access the website. It seems that the small annoyance of having to solve a CAPTCHA would outweigh the damage done by a DDoS. Logged in users and users who have previously solved a captcha should be exempt from the CAPTCHA requirement.
Would this even work? Would it be a good idea?
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
April 22, 2013, 10:19:24 AM |
|
This could help against application level DDoS but useless against attacks on lower levels.
|
|
|
|
sagiko
Newbie
Offline
Activity: 58
Merit: 0
|
|
April 22, 2013, 10:26:21 AM |
|
This could help against application level DDoS but useless against attacks on lower levels.
Exactly. Without knowing how they fell, can't really suggest anything meaningful. I wonder whether they are willing to share more details on this DDOS.
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 22, 2013, 05:45:02 PM |
|
This is actually a great idea. They could even separate their home page from the rest of the system (use a cache, etc.) so you could access the home page without a captcha but need to solve one for anything else (which might be more resource intensive). This could help against application level DDoS but useless against attacks on lower levels.
What do you mean "lower levels"? You mean like remote DB access? Any impact on something like that would be solved by using local DB connection only. As for a file server that could require a valid session the same way an application would.
|
|
|
|
bitsalame
Donator
Hero Member
Offline
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
|
|
April 22, 2013, 05:49:53 PM |
|
This is actually a great idea. They could even separate their home page from the rest of the system so you could access the home page without a captcha but need to solve one for anything else (which might be more resource intensive). This could help against application level DDoS but useless against attacks on lower levels.
What do you mean "lower levels"? You mean like remote DB access? Any impact on something like that would be solved by using local DB connection only. As for a file server that could require a valid session the same way an application would. Think about OSI model.
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 22, 2013, 06:01:10 PM |
|
Think about OSI model.
How does a model have anything to do with http access to system resources?
|
|
|
|
tysat
Legendary
Offline
Activity: 966
Merit: 1004
Keep it real
|
|
April 22, 2013, 06:01:58 PM |
|
Think about OSI model.
How does a model have anything to do with http access to system resources? Because it's getting clogged up on the network layer.
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 22, 2013, 06:06:43 PM |
|
Think about OSI model.
How does a model have anything to do with http access to system resources? Because it's getting clogged up on the network layer. Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
|
|
|
|
bitsalame
Donator
Hero Member
Offline
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
|
|
April 22, 2013, 06:24:14 PM Last edit: April 22, 2013, 06:37:17 PM by bitsalame |
|
Think about OSI model.
How does a model have anything to do with http access to system resources? Because it's getting clogged up on the network layer. Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack... That's not only "possible", it is precisely what is going on. It is the very definition of DDoS. And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol. These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie.
|
|
|
|
DarkHyudrA
Legendary
Offline
Activity: 1386
Merit: 1000
English <-> Portuguese translations
|
|
April 22, 2013, 06:26:18 PM |
|
This would kill bots, think about it.
|
English <-> Brazilian Portuguese translations
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 22, 2013, 06:33:49 PM |
|
Think about OSI model.
How does a model have anything to do with http access to system resources? Because it's getting clogged up on the network layer. Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack... That's not only "possible", it is precisely what is going on. It is the very definition of DDoS. And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol. These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie. Right. I'm used to looking at problems from the server level down, not the pipes. As I said earlier it seems the only real way to solve DDoS is take away botnets. EDIT: To be pedantic, though, I wouldn't say the 'D' in DDoS is the very definition of clogging the network layer. DDoS AFAIK is the progression from DoS which didn't clog the network and was effectively mitigated with IP filtering. The more effective DDoS defeated that, and the network clogging seems an added benefit and problem.
|
|
|
|
grue
Legendary
Offline
Activity: 2058
Merit: 1434
|
|
April 22, 2013, 06:36:48 PM |
|
what if the attacker just floods the server with random packets? there's no captcha for packets, and even if you're dropping them with a firewall, your link is still being saturated.
|
|
|
|
bitsalame
Donator
Hero Member
Offline
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
|
|
April 22, 2013, 06:38:09 PM |
|
what if the attacker just floods the server with random packets? there's no captcha for packets, and even if you're dropping them with a firewall, your link is still being saturated.
That's what we've been saying all along. Wtf
|
|
|
|
tysat
Legendary
Offline
Activity: 966
Merit: 1004
Keep it real
|
|
April 22, 2013, 06:39:42 PM |
|
what if the attacker just floods the server with random packets? there's no captcha for packets, and even if you're dropping them with a firewall, your link is still being saturated.
So you mean they're just DDoS'ing the server?
|
|
|
|
bitsalame
Donator
Hero Member
Offline
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
|
|
April 22, 2013, 06:49:59 PM Last edit: April 22, 2013, 07:02:34 PM by bitsalame |
|
Think about OSI model.
How does a model have anything to do with http access to system resources? Because it's getting clogged up on the network layer. Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack... That's not only "possible", it is precisely what is going on. It is the very definition of DDoS. And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol. These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie. Right. I'm used to looking at problems from the server level down, not the pipes. As I said earlier it seems the only real way to solve DDoS is take away botnets. EDIT: To be pedantic, though, I wouldn't say the 'D' in DDoS is the very definition of clogging the network layer. DDoS AFAIK is the progression from DoS which didn't clog the network and was effectively mitigated with IP filtering. The more effective DDoS defeated that, and the network clogging seems an added benefit and problem. You clearly missed your highlighted quote. I am out of here. Edit: evidently your understanding doesn't go that far.
|
|
|
|
acoindr
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 22, 2013, 06:59:18 PM |
|
Think about OSI model.
How does a model have anything to do with http access to system resources? Because it's getting clogged up on the network layer. Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack... That's not only "possible", it is precisely what is going on. It is the very definition of DDoS. And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol. These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie. Right. I'm used to looking at problems from the server level down, not the pipes. As I said earlier it seems the only real way to solve DDoS is take away botnets. EDIT: To be pedantic, though, I wouldn't say the 'D' in DDoS is the very definition of clogging the network layer. DDoS AFAIK is the progression from DoS which didn't clog the network and was effectively mitigated with IP filtering. The more effective DDoS defeated that, and the network clogging seems an added benefit and problem. You clearly missed your highlighted quote. I am out of here. I didn't miss it. I'm saying the attack became distributed in response to IP filtering not in order to clog the network. Denial of Service originally attacked servers not the network. The defense then was to filter problematic IPs. So to get around that distributed IPs were used. This had the added benefit of clogging the network. So when you say the very definition of the 'd' for distributed is clogging the network I disagree; I say that became a welcome side effect when, as you highlight, the attack is large enough. That's my understanding of the topic anyway. It's admittedly not my area of expertise.
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
April 22, 2013, 07:27:17 PM |
|
This is actually a great idea. They could even separate their home page from the rest of the system so you could access the home page without a captcha but need to solve one for anything else (which might be more resource intensive). This could help against application level DDoS but useless against attacks on lower levels.
What do you mean "lower levels"? You mean like remote DB access? Any impact on something like that would be solved by using local DB connection only. As for a file server that could require a valid session the same way an application would. Think about OSI model. Yes. That's exactly what I meant when said "lower levels".
|
|
|
|
Stunna
Legendary
Offline
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
|
|
April 22, 2013, 10:37:33 PM |
|
This wouldn't be effective, new ways to mitigate must be developed.
|
|
|
|
papaminer
|
|
April 22, 2013, 10:39:18 PM |
|
lolz...
the easiest and cheapest way to mitigate DDOS as of today is use...
CLOUDFLARE
|
฿: 1L7dSte4Rs4KyyxRCgrqSWYtkXdAb4Gy1z MORE INFO ABOUT ME: BTC
|
|
|
tysat
Legendary
Offline
Activity: 966
Merit: 1004
Keep it real
|
|
April 22, 2013, 11:32:22 PM |
|
lolz...
the easiest and cheapest way to mitigate DDOS as of today is use...
CLOUDFLARE
For static content (I believe)
|
|
|
|
|