Choking on a hotdog is almost exactly the same as an angry biker wrapping a half-inch steel chain around your neck and choking you to death. The reaction should be similar.

Uh. When our /23 fails on Verizon, Comcast takes up the link. We even have multi-path, so we can send out stuff from the same IP on Comcast OR Verizon at any time; return packets always route down whichever link is active. We have exactly one /23 address space.

Last month, Comcast managed to lose a fiber line. That line was rerouted through our Comcast link. Packets routed to the same IP addresses came down it.

We have 510 IP addresses for access. They're on a /23 routed subnet. DDoS any one of those and the rest go down. Do you know why that happens? It has to do with how routing works: a routed subnet, at its last leg, goes across one link (one cable or multiple cables bound together as one link). When you send anything to that subnet, it eventually hits that link. If you flood that link, the whole subnet is blocked off.

You started talking about DNS, remember?

This is saying, "Oh, you just go change the DNS entry for the host under attack, and the packets go nowhere." Yeah, no. DDoS attacks generally don't use the host name; they use the IP address for access.

My premise is that routing works the way it does in the real world, and that attacking a single IP address in a subnet takes down the whole subnet. That's how it works. My premise is also that changing the link used to route your subnet (e.g. from Verizon to Comcast) will bring all traffic--including attack traffic. You function in this imaginary world where you just switch over all your services and somehow evade shitloads of legitimate-like traffic behaving exactly like legitimate traffic, without taking out your legitimate traffic as well; that doesn't work.

I handle these things in the real world. I've handled 14 DDoS attacks this year. I know how our links are built, I know how our links fail over, I know how routing works from routing protocols right down to the way frames are forwarded across the wire. I know, physically, how DDoS attacks work--what links are lighting up, how the packets are formed, and how the routers decide where to forward them. I know how they comingle with legitimate traffic, and how they crowd it out.

I know god damn everything.

You're floundering around with inspecific and blatantly wrong comments. You don't even understand what DNS does, what it's for, or how IP and hostnames work--otherwise you wouldn't yammer on about how clients access by hostname and not IP. You don't seem to understand how useless DDoS against a DNS server is, either (since every client uses their ISP's local DNS server, which has your server's data cached anyway).

Seriously, what kinds of systems do you architect? Because they're obviously not network systems. Do you mean "System Engineer" as in "guy who builds Web servers"?

A DDoS is nothing like a line failure. We already have line failure fail-over: two providers run lines to our building; when our primary ISP has a line failure, our subnet routes to the secondary provider's network, and comes down that line. The entire subnet--that is, the same IP addresses--follow it. So if the line fails (e.g. backhoe hits a comm cable, tree falls on a pole, etc.), we stay up; if someone sends shitloads of data, we don't.

By the way, if you route a separate subnet through the secondary carrier and put two interfaces on every box, you'd have to update DNS (and re-propagate, which could take a day or two) to get your services back up. After all that, there could be a 10 second poll running on the command-and-control box, which sees your site is now responsive (by hostname) and has different IPs; it then relays to all drones to start attacking the new IP address. Congratulations: using multiple IP addresses has gotten you 10 seconds more availability!

The bold and emphasis tags haven't worked for me in 4 years.

A line getting cut is not a DDOS. A DDOS is when you open a web browser, go to the page, and hit REFRESH 40 times a second. On 80,000 computers. At the same time. For 2 hours.

Wrong. DDOS you black hole the server: you shut it off by having the backbone of the Internet route your shit elsewhere. That means your upstream ISP has to insert a static route into their routers--their equipment, not yours.

You don't fix DDOS by DNS. www.Slashdot.org here is 216.34.181.48, and the plain slashdot.org is .45; if I fire a DDOS at either of those IP addresses, they both go down (it's the same subnet, thus routed to the same link). If you change the slashdot.org DNS, the packets keep coming down that link anyway.

If you fail over the link from Verizon to Comcast, the packets start coming down Comcast immediately. Think about it: when you fail over the link, you are rerouting packets going to those addresses. Well, DDoS packets are going to those addresses. They're not addressed to a link (they can't be), but to an IP address. They flood your active line, always; you can't prevent that.

Clients generally cache the IP address for a little bit; but that's irrelevant. A DDoS attack, in particular, is ineffective if you run a DNS look-up between each packet: there would be a wide delay between packets (it takes anywhere from 20 to 500mS to run a DNS look-up; meanwhile, you're trying to send over 2000 packets per second from one node, i.e. one per 1/2 mS). Instead, you pull the IP at the beginning of the attack, and then you start shoving packets at that IP. 800 trillion packets to 216.34.181.45, one DNS look-up.

I'm claiming that packets going to a route will affect all routes on that link; and that failing over that link to a different link will route all packets going to that route to the new link. If you are attacking a node on that route, failing over the link will move the attack to the new link. You can't block the attack downstream; it has to be blocked upstream, because the attack is flooding the link, and your firewall or router receives packets *after* they've traversed the link you're trying to defend. Only your upstream ISP can respond to a DDoS in any effective way.

The only "financial decision" you can make regarding this is the decision to buy a different physical line to your building for each individual public service you run. Possibly multiple physical lines for a service, e.g. two lines for a HA web cluster. That means you would pay $500/mo for Verizon 250Mbit/s to your Web server, $500/mo for another Verizon 250Mbit/s line run over a separate cable to your second Web server, $500/mo more for another 250Mbit/s fiber line run to your e-mail server, etc.

You clearly have no idea what you're talking about. This became clear the moment you started treating packet attacks like infrastructure attacks. "Oh, if they cut the link, I'll just use another link." Yeah, no. This isn't that somebody bombed the road to the bunker, so you take a different road; people are dropping bombs on YOU, and whatever road you drive down will have bombs dropped all over it trying to hit your Jeep.

72.133.15.2, which is on your assigned 72.133.15.0/24 block, is being hit by gigabits of traffic per second. That means everything else on the 72.133.15.0/24 block is affected.

To reroute, you have to call your ISP and failover your incoming route. It comes off the Level 3 line, and onto your AT&T line.

Now your AT&T line is being hit by gigabits of traffic per second, as the traffic is still going to 72.133.15.2, which is routed to the 72.133.15.0/24 subnet.

I'm not talking about fiber traffic; I'm talking about ROUTING A TON OF TRAFFIC TO AN IP ADDRESS. When you move the line that the IP address is on, ALL THE TRAFFIC GOES TO THE NEW LINE. IP addresses are routed to by subnets, which means THE WHOLE SUBNET FOLLOWS THE ROUTE CHANGE, and so the traffic and all affected addresses follow the route change. Your Web, E-mail, FTP, and VPN servers are all affected by this DDOS? Well, when you swap over to your AT&T line, your Web, E-mail, FTP, and VPN servers all go there, and so does the DDOS traffic!

You can change lines when somebody physically digs up and cuts a fiber line. That works. It works when Verizon fucks up and Qwest is working. When bombs are being brought down Green street to your house, blocking off Green street and making the bombers carry them down Violet street to THE SAME HOUSE doesn't stop your house from getting blown up.

Communism is a perfect system, but requires more information than is physically possible to obtain. We have a lot of these types of systems in physics, economics, programming, chemistry, psychology, and so on; they're used to model small-scale effects and search for risks or viable plans, rather than to implement large systems, because it's always impossible to get enough information to implement and maintain a large, theoretically-perfect system.

No shit communism is bad for life. It only works when you can accurately predict every single individual human being's wants, needs, and thoughts, forever. Why do you think I use market models to predict behaviors and develop social and economic policy? High-level models account for these things, largely by providing less concrete goals such as "the market will fix X as long as fixing X in an acceptable way is more profitable than addressing X in any other way, including ignoring it or fixing it in an unacceptable way". The large mistake most hard-nose capitalists make is assuming the market will automatically address X in the most optimal way for all stakeholders in all cases, which is unsurprising when you consider that communists's answer for everything is they simply know everything.

If I got you to install a Chromium extension that started when you log into your desktop (KDE, Unity, Gnome, whatnot), I could have you install an extension which runs in the background (like Google Hangouts) and simply pings the shit out of things I tell it to.

In other words: if I can get you to download and run a program on Linux, as a regular user, with no root privileges and no write access outside $HOME, I can turn your machine into a DDOS node in a botnet.

The problem we have on Windows is users downloading stupid shit from the Internet, such as Slashdot's ads constantly sending me to install some kind of codec to watch a video or to a fake Firefox update site. I even got caught by BlueStacks, as I had no idea wtf I was doing and typed "BlueStacks" into Google, and the first result falsely claimed to be the BlueStacks home page (it was a sponsored result!) and packaged 5 pieces of software--TWO of which were malware (one hijacked Firefox by installing some RocketTab extension, which sent everything I did through a proxy)--with BlueStacks.

Any software can install a start-up option in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Any string entry there is run on start-up for that user. The hive for this is stored in the user's directory (usually C:\Users\$USER\). This is where e.g. Yahoo Messenger puts itself when you install it (if you install it as Administrator, it puts itself in HKLM under the same key, so it starts on log-in for ANY user). Such software can make a connection to a Web site (just like a Web browser), obtain instructions, and then do whatever (e.g. make thousands of connections per second to some IP address, just like a Web browser or FTP client or AOL Instant Messenger).

Writing to C:\Windows isn't required any more than writing to /usr/bin is required. You can hijack someone's computer without administrative rights.

The bottleneck is the 1Gbit link that's carrying 1Gbit of DDoS traffic to your border router, which is evaluating it and dropping it all. Dropping that traffic doesn't free up additional bandwidth to carry legitimate traffic; you'd have to block the traffic further upstream.

I work at a broadcast company. I have worked for the Government. I have worked for a Government contractor.

In all of these cases, Verizon or Comcast or Qwest run a cable to your site. You plug in your router, your firewall, demarc equipment. A packet sent to your network comes to that before you can do anything; you can't get on the backbone of the Internet and block it.

For businesses who do not control the Internet backbone, 1000Mbit/s coming down their 1Gbit/s pipe means they can no longer receive client requests. If they block traffic coming from DDoS sources (static or dynamic detection, but assume correctly blocking only DDoS packets--impossible best case), they will still have traffic coming to their firewall, being evaluated, and being dropped. There won't be room for traffic to come from other sources: a site receiving 5000 connections per second at 20k/s per connection requires 100Mbit/s, but has more than that in DDoS packets trying to force it's way down the pipe, and so will receive few legitimate packets. The packets it does receive will be delayed (this is why you receive few legitimate packets: they start queueing, infinitely, and then get dropped off the end).

To stop this, you must have some upstream router (controlled by your ISP) block those packets before they propagate down your link. For DDoS from infected computers, this means your ISP must be able to reliably detect DDoS packets and differentiate them from normal traffic. If you have an on-going short list (50, 100 nodes), you may be able to provide a temporary NULL route. More than likely, you will have one particular server under attack, with a specific public IP, and so will have to have your ISP NULL route YOUR server (take it down entirely) so that your OTHER services stay up.

Our DDoS attacks on our CDN are allieviated automatically by NULL-routing our servers: the server's IP address is sent to the upstream ISP, which drops all packets going to that server. That server has its cable cut from the Internet for a few hours, and becomes non-functional; attacking another server would result in the same, until there is nothing left of our network. Blocking by firewall on the network not only fails to allieviate the problem, but also causes the DDOS traffic to affect all other servers connected to the Internet from that link.

Yeah, there you go. "Microsoft should make a secure operating system." You don't understand the problem.

To mitigate DDoS as you say, at the OS level, we would need to make the OS only run software that the Great Benevolent Dictator allows. Microsoft could publish a list of software Microsoft has decided you can install, and you can install only those softwares. Mind you, if the softwares have any security holes, it's still possible to hack in and use the node as a DDOS source.

Think about it. No installing Cygwin. No downloading open source games. No Indie games, unless the Indie developers pay Microsoft to let their games run on their platform. Steam? Uh, no, no software that runs arbitrary code. Java? Java is dead. No scripting languages.

What business do you work in? I bet it isn't important. Hospice, I bet. Some hackers disrupted your hospice, and the old people's heating went out, and they all froze to death. Well, who fucking cares? They're just old people; the sun went up that morning AND went down that evening, and only a bunch of old people who were in hospice to die anyway died.

It's business. There are businesses. They make money, and they loose money. YOU are unimportant; yet the police would arrest me for raping and beating and robbing you, even if you didn't die or get HIV. Why? Why should anyone care? The sun went up that morning AND went down that evening, right? You're less important than some gaming services, which millions of people notice when they go offline.

It's not, and it's not real.

Google made or acquired Gmail, GTalk/Hangouts, Plus, Picasa, Youtube, Docs, an OAuth thing, Chrome, Android, Glass, driverless cars, and so on. Lots of Google products have failed; lots have succeeded.

Google makes things which give them options for monetization, licensing, or new things. The Google car, Google glass, they get Google press and create markets (Google Glass basically created the wearables market; smart watches took over after that, rather than smart glasses). Future potential is there, but so is cross-potential: Google Glass and Android smart watches both share similar characteristics, so many of the same problems solved for one apply to the other. Google's self-driving car might see upgrades and porting into GM and Tesla offerings. It could happen.

By and large, the most important impact of Google's constant experimentation is the sweeping domination of a multitude of markets. Android brought hundreds of millions of users to Google and GMail, ripe for serving ads through that little bar at the top of Gmail. Hangouts brings people to Gmail. Plus was a flop, but is still tangentially used: Google Pictures is Google Plus, and Google Plus is tied into Picasa. People use Picasa. People use Google Docs and Google Drive.

All of these things are things that stuck. Google Drive now sells storage space; sharing links to Google Drive attracts people to Google services. Chrome attracts people to Chromebooks, which attracts them to Google Drive, Gmail, and so on. Failed products could have been these things, but weren't; successful products could have been failed products, but were attempted anyway, and didn't fail.

That's what Google does: they make shit, and see what sticks.

I brought up China due to a previous argument with somebody over whether China's traditional diet was "very healthy" due to not containing much meat (98% grains and vegetables, bits of meat for flavoring). China had a major revolution, alright: in the late 1970s, they drastically increased their meat consumption. This has been cited in studies on diet because the drastic boost in China's lifespan occurred during a period where the only thing that changed was diet: China's cultural revolution occurred a decade away from their major health gains, which coincided with their dietary changes.

Let's not forget that meat is expensive.

The fact remains you want to imagine that people who are not eating as much food as they need each day are not starving, are not experiencing negative effects from chronic hunger, and thus are not facing degrading health and eventual early death from not eating. This includes people who are so far from having enough food as to experience physical pain from hunger multiple times each week.

You have built up an argument around not needing to solve any hunger problems in America because nobody is starving; it is as if you had said that sokushinbutsuku were not killing themselves. You may as well say that vaccinations are a waste of money because nobody is dying from being unvaccinated, or that water sanitization is a waste of time because we don't have scattered bodies from entire towns being wiped out by toxic water.

I recall instead the more well-grounded example of China, with its single change of diet in the late 1970s suddenly moving the median age of death from 39 years to 80 years--with an average lifespan of nearly 40 years, nobody was exactly "dying of starvation", right? Even though simply giving them proper access to FOOD doubled their life span, they were not starving to death? These were not people dying from a rigorous practice of self-mummification over years, or from contaminated water; they were people who were not properly fed, who were malnourished to the point of weakening and slowly destroying the body over decades. Access to food increased the average lifespan by 40 years; the same will be true of the poor in America: their lifespans will expand by decades when we correct the hunger problem in America.

You can play your lets-pretend preschool games all you want, but that's the truth: people are losing tens of years off their lives in America thanks to hunger. People are living to their 30s and 40s because they routinely don't get enough to eat, and changing that will give them lifespans into the 60s and 80s. When they die, they die of typhoid or heart disease or "natural causes"; they don't die of "starvation". The cause of their short lifespans is hunger, malnourishment, starvation. That is the reality your clouded and distorted mind cannot see.