Comment by dijit

1 day ago

You should talk to a network engineer before making claims like this. There are mechanisms to curtail DDOS attacks at origin.

For a few reasons (political, economical) there’s little will to enact them, these attacks are so few and far between and you can pay your way out of them in most cases, so the incentives aren’t there for ISPs (whom are a commodity judged primarily on price and bandwidth)

8 comments

dijit

Reply
m00x  1 day ago

How exactly would you keep the origin from sending a command to a botnet?

  • dijit  1 day ago

    you don’t stop the message to the botnet, thats impossible:

    You detect the behaviour downstream and send a signal to the ISP that there is traffic that needs to he rate limited.

    One mechanism for this is called RTBH (Remote Triggered BlackHole) which relies on community tagged prefixes of addresses exceeding rate limited to be blackholed from forwarding traffic further in to the internet.

    There’s also things like flowspec but a lot of things rely on proper trust between ASNs.

    • esseph  20 hours ago

      It's not that simple and hasn't been for awhile.

      There's layer upon layer of relays now, and meshed C2C networks.

      Lots of DNS fastflux too