Comment by rgilton
5 hours ago
What would the Internet's architecture have to look like for DDOS'ing to be a thing of the past, and therefore Cloudflare to not be needed?
I know there are solutions like IPFS out there for doing distributed/decentralised static content distribution, but that seems like only part of the problem. There are obviously more types of operation that occur via the network -- e.g. transactions with single remote pieces of equipment etc, which by their nature cannot be decentralised.
Anyone know of research out there into changing the way that packet-routing/switching works so that 'DDOS' just isn't a thing? Of course I appreciate there are a lot of things to get right in that!
What would that look like? A network with built-in rate & connection limiting?
The closest thing I can think of is the Gemini protocol browser. It uses TOFU for authentication, which requires a human to initially validate every interaction.
Something like a mega-transnational-parent ISP authority and give tech giants LaLiga kind of power.
It's impossible to stop DDoS attacks because of the first "D".
If a botnet gets access through 500k IP addresses belonging to home users around the world, there's no way you could have prepared yourself ahead of time.
The only real solution is to drastically increase regulation around security updates for consumer hardware.
Maybe that's the case, but it seems like this conclusion is based on the current architecture of the internet. Maybe there are ways of changing it that mean these issues are not a thing!
It's not an architectural problem. It's a fundamental issue with trust and distributed systems. The same issues occur in physical spaces, like highways.
The core issue is that hackers can steal the "identity" of internet customers at scale, not that the internet allows unauthenticated traffic.
Do the IP addresses botnet members get logged? Could those IP addresses be automatically blocked by DNS until they fix their machine?
Lets say your samsung fridge gets hacked and is now a member of a botnet. How do you detect that before the botnet does something?
2 replies →
IP addresses aren't unique or stable. You can't use them to identify individual devices.
Built it into the protocol that you must provide bandwidth in order to have your requests served. A bit like forcing people to seed torrents.
Works for static content and databases, but I don't think it works for applications where there is by necessity only one destination that can't be replicated (e.g. a door lock).