no you don't because that's a bad analogy. We do however go to states and could ties to protect the infrastructures they paid the contractor to build.
ISPs are uniquely situated to stop this kind of ddos because the traffic originates from IPs they don't own. The traffic has a spoofed from address. And as a rule, the ISP.should only need to send traffic out of a neighborhood from the block of IPs that is assigned to that neighborhood. You can put a filter on every switch or even every interface allowing only traffic from the IP or IPs on the other side of the link to send traffic. A company like Comcast could make it default part of account setup scripts. If everyone did that, these would disappear over night.
Yes there are. but using your source address means that you are confined by the upload bandwidth of your hosts, instead of some mis configured DNS server with a 1000Mbps up in a datacenter. You'd just have to work a lot harder to get the bandwidth.
to add to that, You'll defiantly get some mis configured servers with 1000Mbps uploads. And those will be really easy to pick out of the lineup. And then you'd probably be able to call the DC and say that they should block that IP at their boarder and they would probably also comply because there's a good chance that customer that was doing 110Mbps and won't want to pay for 1000.
As it is now, because the source is spoofed, you can't really take the source offline, only take the destination down to keep the other hosts in close proximity running.
With a TCP connection you can pick the source and drop the handshake, basically never start the connection. Some of the windowing can be used to make a tcp connection less of an issue as well.
If a bot is using its actual source address, you can block its IP at the edge (and even ask the ISP to investigate). Thanks to IP spoofing, that's totally ineffective, so instead the only way to make the attack stop is to null route the host.
How does IP spoofing even work outside of those DNS reflection attacks mentioned on Krebs' blog? [1]
> "many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods."
I constantly see references relating to DDoS attacks about how IP spoofing is such an obvious trick to use but I've never seen any way to actually do it. Why wouldn't every device on the internet spoof their IP?
> Why wouldn't every device on the internet just spoof their IP if it was this obvious thing?
https://spoofer.caida.org/summary.php - compromise a device in one of the ASes not marked "unspoofable." Those ASes do not consistently perform packet ingress filtering.
That's not to say that DDOS attacks stop being possible, but at least they become traceable.
What do you do when you have 10, 20, 50 million bots using their actual source address? Do you just block all 50 million devices? If so, then that would be a great way to initiate denial of service on those devices.
Actually, that would be a good way to take all those insecure devices off the internet, or at least prompt someone to do something about it (even if temporarily, like hitting the
"factory reset" button) before reconnecting them.
Most countries don't allow cars on the road that are unsafe due to lack of maintenance. Perhaps it's time to do something similar for internet-enabled devices that cause serious harm to others. Hold the user, manufacturer, or network operator responsible for harm caused by their lack of maintenance.
Most ISPs have a clause in their Terms of Service stipulating that you won't use the service for criminal activity. I'm pretty sure a DDoS can be argued as a criminal activity. So, it is in the ISPs right to stop service to those nodes. --Yes, I understand the consumer isn't the criminal, more so they are the victim and the crime took place on their service.
Further, technologists tend to be pretty good at solving problems. I know this isn't the ISPs problem, but it is a flaw in the network, I'm simply wondering if anyone is attempting to solve this problem at the network level rather than simply building bigger caching services to protect those that pay for protection.