what the OP is explaining, exists, it's called Load Balancing.

Mayor websites, use this technique, to distribute the traffic load among x amount of webservers.
(mostly using internal proxy techniques along with load balancers.)

That's the reason mayor sites are always available, even when being heavily DDos'd.
Even more, most of their webservers are distributed among several subnets, and even networks. (peers so to say)
That way, they have a rock stable redundancy.

For smaller sites, this is almost not possible, due to the technical requirements (and money it costs to buy/setup).

Even more so, why should smaller sites? It's no fun for those cyberbullies to ddos a small "personal" webserver. No, what is more likely to happen, is being defaced. (meaning your website, if using a buggy cms, e.g. joomla, the bully will do an sql-injection, so the contents of pages will be changed to whatever this bully wants it to change.. just to nag you).

Isn't it possible for a large enough botnet to bring them down too? Ultimately the main thing that matters is who has the most collective bandwidth, the attacker or the attacked.

So I reckon N adsl users have more bandwidth than www.yahoo.com, and can therefore withstand larger load-attacks. For dos-attacks I guess the numbers would be different, a higher N would be required for a given M. In other words I think a bad guy with a dial-up connection can bring down an adsl site if they use denial of service attacks rather than just a load attack, can anyone confirm?

Now what is N to beat a bad guy with M adsl computers?

Here it says the Storm botnet with some 160,000 infected computers in 2007 could bring down entire countries.

http://en.wikipedia.org/wiki/Storm_botnet

Any thoughts on the proper math for such a conclusion?

Ulysses

Yes, they update THEIR DNS faster but it does not update ALL the DNS faster, most will still have to go through the process that I described. If ALL of the clients use the services DNS it would work, but that would (again) make that DNS the new target.

To put it another way, so long as you can send a SYN flood against a target faster than it can handle them, and so long as you can scale your attack up cheaper than the target can scale up it's ability to handle the traffic, a DDOS attack will alsways win. That's why the Tarpit defense works...it reverses the dynamics, causing the attacking PCs to get bogged down without causing a significant load on the defending server.

Now if only they'd rewrite the law so that you can't get sued for disrupting ILLEGAL communications traffic...

I am aware of the process you described but something must render it less relevant in real life because otherwise how can services like DynDNS exist and keep their customers - my guess is 99.9% of visitors to a domain see the latest ip much much sooner than a day after it is changed, probably in minutes, and that's probably good enough for DynDNS customers.

And let's not forget, delay matters little when all ip's have the same content. It is the frequency of updates that matters in our case.

Does it not make a difference that the target is a new one every few seconds? Is the attacker going to abandon old targets? If they do, old targets will work normally when normal visitors to them press F5 to an address that looks like http://195.24.13.11/ (random example) or click a link to that.

What is your alternative to using their service? This is why their service is used. I would guess that 90% of the servers will be updated within a few hours.

If you are going to use strictly IP address (and not www.whatever.XXX) you do not need to use a DNS registration at all. It all boils down to how your clients will get the IP(or IPs). If the attacker can get these IPs then they can attack your sites. The question is, how are you going to provide the clients with the IPs without giving it to the attackers? Once the attackers have the IPs then they can attack. Odds are VERY high that they will have more machines than you do.

If I ever use them, let's make an experiment here online to find out what's the average delay for 5 or 10 of us.

I can't hide these ip's from the attackers, it's a public network. I'm only hoping regular users will somehow see ip's not currently attacked by hostile users.

Maybe a firefox addon would ensure all users can press F5 and see the old ip that's been abandoned by the attackers (they'd have to abandon old ones as they cannot attack all 1,000,000 ip's).

For this the addon would bypass normal domain lookups by the system and do its own.

How frequently may a dns record change?

I am not aware that there is a limit, although the service may consider it as abuse if one where to change it too often (multiple times a day, every day).

Also keep in mind that in most cases DNS records seldom change. Even your typical IP from a ISP does not change very often. It is fairly common for a cable modem to have the same IP for months, and it is not unheard of for that to extend over a year.

What if I set up my own dns server that only holds the ip's of participating people (while visitors temporarily change their dns settings to point to my dns server by means of a firefox addon or something).

If my tracking server only accepts dns lookups and no other traffic at all, is it any harder to bring down than a normal p2p server of the same bandwidth?

In order to change you DNS settings you generally have to restart network services on your machine(client). Most people would be reluctant to do this for two main reasons. First people just do not want to do anything they do not have to. Second it is a security issue, for the time that they are using your DNS all their other running processes are dependent on your security(which is in question).


No, doing it this way would not make any difference. Traffic is traffic and it has to be dealt with in some way.

I thought that firefox addons can provide the required functionality without messing with the system network services settings. You have any information that suggests otherwise, perhaps written an addon?

If it's just the browsing that depends on my dns server it doesn't ask for too much trust, and it's over when you press the addon button and go back to the normal web.

Not all people get their news from mainstream media and the content that matters is already being suppressed somewhat by google's search engine and others, and much worse is to come, including forced site closures one way or another. So the motivation to read independent content will increase and therefore the motivation to read distributed content will increase.

In terms of other functionality, ie when it's not being attacked, isn't it much less costly and more efficient to accept nothing but dns lookups and dns updates?

Many people use there browsers to do banking (and other necessary secure transactions) using their browser. So yes it is asking for a TON of trust. As far as I know the network service can only use one (set) of DNS severs at a time. I have never seen a setup that changes the DNS for JUST the browser. If you have such a addon please post a link to it. Edit: I suppose you could run through a proxy server but you would be using the local machines DNS until you were on the proxy(then you would be using whatever DNS the proxy was using). Then the target just becomes the proxy server.

What does people not changing their DNS server (due mostly to laziness) have to do with mainstream media?

If you are referring to bandwidth costs, you get charged for all traffic not just the traffic that you accept. Which is one of the reasons metered billing for residential lines is such a bad idea. If you mean machine resources (cpu cycles etc), sure rejecting all traffic except on port (whatever) means that (after refusing that connection) no further machine resources are used on that connection(you still eat the bandwidth).