[erlang-questions] Erlang/OTP based systems and DDoS

Jesper Louis Andersen jesper.louis.andersen@REDACTED
Mon Oct 27 13:27:59 CET 2014


On Mon, Oct 27, 2014 at 1:04 PM, Rainer Hansen <rainer.hansen@REDACTED>
wrote:

> Do I understand right that it takes even with "external help" time to
> handle a DDoS attack. The attackers might try various methods and you
> have defend against them. To get the defense in place and to work
> properly takes time and as more scalable your infrastructure is as
> quicker you can get to normal service quality. Erlang systems can be
> designed to be quite scalable at a reasonable cost which should make it
> possible to go back to normal service quality faster than less scalable
> systems.
>

DDiS us bit a orecusion tool. The purpose of such an attack is to overwhelm
the system such that the weakest link of the system breaks. Depending on
setup, that weakest link will be different. It works by forcing systems to
misallocate resources. Typical resources are bandwidth, number of socket
connections, memory, disk and CPU time. The way you handle a DDoS attack is
to thwart an attackers ability to control the resources of your system. You
succeed in the defense when your system survives the attack and recovers
gracefully after the attack. It is essentially guerilla warfare, where the
economic cost of the attacker is much lower than the economic cost of the
defender.

The problem with sweeping generalizations are that an attacker will just
shift their focus to another part of the system. That is, the attacker will
detect that a pattern which crashes processes does not tie up resources,
and then proceed to make an attack which does.

Systems have an operating capacity and an engineering capacity. That is, a
number of simultaneous work it can do when it is operating nominally, and a
number of simultaneous work it can do at its peak stress. The key is to
reject work when you hit the engineering peak of the system. This in turn,
will protect yourself against the situation where an enemy seek to bind
certain kind of resources: CPU, Memory and sockets. But it will not protect
you against the situation where the attack goes for the bandwidth resource.
hence, if you guard the system against this, then an attacker will
overwhelm your bandwidth. This can be solved by talking to your ISP and
have them filter out connections from the Attacker.

To summarize: it has to be a joint effort on all of the system. Otherwise,
the weakest link will break.



-- 
J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20141027/6b669325/attachment.htm>


More information about the erlang-questions mailing list