You should talk to a network engineer before making claims like this. There are mechanisms to curtail DDOS attacks at origin.
For a few reasons (political, economical) there’s little will to enact them, these attacks are so few and far between and you can pay your way out of them in most cases, so the incentives aren’t there for ISPs (whom are a commodity judged primarily on price and bandwidth)
you don’t stop the message to the botnet, thats impossible:
You detect the behaviour downstream and send a signal to the ISP that there is traffic that needs to he rate limited.
One mechanism for this is called RTBH (Remote Triggered BlackHole) which relies on community tagged prefixes of addresses exceeding rate limited to be blackholed from
forwarding traffic further in to the internet.
There’s also things like flowspec but a lot of things rely on proper trust between ASNs.
You should talk to a network engineer before making claims like this. There are mechanisms to curtail DDOS attacks at origin.
For a few reasons (political, economical) there’s little will to enact them, these attacks are so few and far between and you can pay your way out of them in most cases, so the incentives aren’t there for ISPs (whom are a commodity judged primarily on price and bandwidth)
How exactly would you keep the origin from sending a command to a botnet?
you don’t stop the message to the botnet, thats impossible:
You detect the behaviour downstream and send a signal to the ISP that there is traffic that needs to he rate limited.
One mechanism for this is called RTBH (Remote Triggered BlackHole) which relies on community tagged prefixes of addresses exceeding rate limited to be blackholed from forwarding traffic further in to the internet.
There’s also things like flowspec but a lot of things rely on proper trust between ASNs.
6 replies →
I heard it's a series of tubes.