On Tue, 09 Mar 2010 15:27:02 +0100, Adrenalin said: > I'm just wondering, even if it's under DDoS, isn't it as easy to block as to > collect the list of IP that send too much data, and just block them on the > upper level ISP ? You *do* realize that a *small* botnet these days is 75,000 machines, and there's a estimated 140 million compromised zombie boxes out there? There's very few boxes that can handle an inbound ACL of 75K entries sanely - usually what ends up happening is the upstream drops all traffic *to* the target node just so all the *other* boxes at the site still get some bandwidth. And "sending too much data" is hard to quantify - if you have enough bots, you can thoroughly DDoS a site using far *less* bandwidth per host than a normal user does. If the site was designed to handle 10,000 clients each sending 5 packets per second for 10 seconds during a login at game start, it will likely fall over if you throw 100,000 bots at it, each sending 4 packets a second continuously...
Attachment:
pgp1OShCMAYD3.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/