[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: git /cgit/ DDOS attack, rsync security
|
From: |
Carlo Wood |
|
Subject: |
Re: git /cgit/ DDOS attack, rsync security |
|
Date: |
Wed, 22 Jan 2025 22:31:55 +0100 |
On Tue, 21 Jan 2025 22:34:06 -0700
Bob Proulx <bob@proulx.com> wrote:
> > I never heard back from the committee, and to this day I don't know
> > if IPv6 did implement this "filter at the source" possibility, or
> > if they f*-ed up and missed the opportunity to get rid of ddos
> > attacks when IPv6 was first rolled out.
>
> Wait... Is this something that actually exists? Or is this just a
> proposal? I am unaware of any such functionality. That doesn't mean
> anything as I am far from any authority on IPv6.
>
> If you know how to do this though I would be very interested in
> learning how to perform this type of blocking.
At the time I was developing the ircd of Undernet (at the time the
second largest IRC network), and script kiddies used to flood channels
by connecting large amounts of bots to a lot of (irc) servers which
then flooded a single user or channel.
The user could not stop this: the flood was to big (exactly as you
describe is the case of "any single system" being ddossed).
I added to the protocol a new command called "SILENCE", that
can be used with a mask. This command propagates towards whoever
matches and filters their messages at the source, hence no longer
loading the client-server connection of the victim, but also not
the server-server connections in between.
Once the script kiddies couldn't flood users and channels anymore
using the IRC protocol, they started to use ddos, to flood with
IP packets. This is why we did hide all hostnames and IP-numbers of
users. From that moment on, the script kiddies started to flood
the servers; which resulted in the IRC network to hide all HUBS,
so that they could only flood end-points, no longer taking down
the whole network.
I've always been convinced that this development (by the IRC protocol
and servers) has been the trigger and start of botnets that ddos.
Hence, being an authority on the social and psychological background
of ddos - and how to stop it - when IPv6 was being developed, I emailed
them that this was a great opportunity to builtin the same capability
into ipv6 (or rather, that is was a must, as it was the only way to
make ddos a thing of the past).
I guess they ignored me. So now we still have the same ddos problems
costing companies millions if not more. People are stupid.
So no, apparently it doesn't exist.