
Ask HN: What would it take to end up in a DDoS-free internet? - d33
After the recent DDoS on Dyn, I started to wonder - what mechanisms would we have to implement and deploy to make it more complicated to perform DDoSes? Would for example adding some crypto, e.g. some kind of proof-of-work on TCP actually help here? How helpful would it be if all ISPs stopped allowing IP spoofing? How could we get there?
======
trelliscoded
DDoS mitigation is already a mostly solved problem; IDMS/TMS and RTBH are
things. Many networks don't install them though, and when they do they often
only get tested once an attack starts. For obvious reasons, many network
operators are highly reluctant to hose down production services with test
attacks.

Adding crypto isn't going to help in the case where someone's hosing you down
with reflected UDP traffic, as the packets are still going to transit your
ingress link and clog it up for production requests. Sure, you can force the
use of DTLS, but your load balancers are just going to go "well this is bogus
traffic" and throw it away, but by then it's too late since it's already in
your network.

Mandating egress filtering for traffic isn't going to help that much either,
because then a botnet is just going to stop spoofing traffic. This makes it
easier to mitigate it from the target's perspective, but with a large enough
set of transmitters the target will still see an impact.

The bottom line is that if you want to allow connections from the entire
Internet, then every lightbulb, refrigerator, and lawn sprinkler with a wifi
chip is eligible to connect to you. Unless there's an effort to create
international policies to stop vendors from shipping exploitable firmware for
these things, this problem is just going to keep getting worse for those of us
who can't afford good DDOS protection.

------
kogir
Pay for use billing would go a long way.

People running insecure networks and devices should feel a financial hit.

~~~
jazoom
Bandwidth is already pay per use?

~~~
kogir
Most users (in the US at least) pay flat fees. Seeing your bill skyrocket
because a compromised device on your network is uploading a constant 30Mbps is
incentive to locate and resolve the problem.

~~~
jazoom
In Australia we pay flat rates but our speed is severely reduced after a
certain limit. You definitely know when you're over.

