So, after thinking about this a little more, there is nothing preventing the Botnet operators from doing a DNS lookup and simply targeting the new IP address. However, that would let us weed out legitimate traffic from botnet traffic over enough iterations. ISPs could have a three strikes rule for clients. 1st time you attempt to contact an IP address on the DDoS target list, strike one, most "strike one traffic" is probably legit, people pressing F5 trying to reload the site, etc. Strike two, and you start to see exactly which addresses are following the DNS chain and propagating the attack, by strike three+ (if ISPs are reporting their "repeat offenders" to a central clearing house), you have a pretty decent picture of all the end nodes in the Botnet. You Null Route those, too, in a separate list. Same TTL expiration as the DDoS target list. When people call their ISPs to bitch, the tech on the other end notices the red flag on the account and asks the owner to kindly unplug their smart toothbrush (or whatever brain dead IoT device is being utilized) if they would like to have their internet turned back on. Avoiding false positives on Botnet membership would require the targeted site to put up some kind of "This site is under attack!" notice so people know to stay clear while the members of the Botnet are identified and blocked.
If we had a global registry of DDoS targets that we added new addresses to when the bandwidth of an attack broached limit X from number of sources Y (100gbps / 1million bots?), then we could require ISPs to run automated scripts that Null Route those addresses in the database for time period Z (1 day?) The Botnet gets rejected at the edge in those cases, but the end result is the same for the target, they have to move or wait. If you can get the move done fast enough (up on new IP addresses in an automated fashion within seconds, DNS propagation for those new addresses at the same rate), then there is no loss of service, and no profit for the operators of the Botnet. Or no fun if its "just for the Lulz". So the real problem with DDoS is the inherent lack of configuration speed in the current internet. Blocking IP addresses at the edge routers is a manual process and takes time. Bringing NIC cards up on new IP addresses or changing static NATs in firewalls is a manual process and takes times. Changing DNS records and allowing for propagation, etc, etc. So to beat DDoS, we need to have more automated systems in place for migrating services from one address to another. You destroy the perception that there was any effect from the flood, and you beat DDoS.
That was called Windows 3.x, and it worked very well. Every program had one (or a set) of *.ini files that governed the settings for that program. Need to start fresh? Delete the
IIRC, we were trying (my dad and I) to stay within a certain budget, and we had opted for an EISA (https://en.wikipedia.org/wiki/Extended_Industry_Standard_Architecture) video card with a whopping *1MB* of VRAM. So yes, the initial ram on that build was only 2MB =P Even after we went to 8MB I spent a lot of time setting up config.sys / autoexec.bat to run memmaker with just the right settings. I vaguely remember that you wanted as much free ram as possible in the initial 640KB range, and you could move some things into an area reserved for Monochrome displays to free up a little more. I kept that machine until 1997 (we were poor), and in the end it was dual booting Win 3.1 and Slackware 3.1. I remember kernel compiles on a 486, good god... I'm pretty sure the first one I did was 2.0.29, upgrading from 2.0.25. That was back when taking out all the modules that didn't apply to your hardware (stock kernels always support as much as they can) would net you a HUGE performance gain. Id software made the transition from Windows to Linux pretty easy, as Doom (and more importantly Quake!) ran just fine =) SVGALib for the win.
My family got our first PC in 1994, I was 13 at the time and it came with a Demo disc that had the shareware version of the game. We initially had 2MB of RAM in that 486 DX/33MHz.. so we went out and spent $90 on two 4mb 30pin SIMMS so we could actually play it. Doom was the game that finally pulled me away from consoles and got me into PC gaming, and soon after, programming. Which eventually lead to a career in Network Security / System Administration, and then my own company. I owe a lot to Carmack / Romero's ID software. Anyone else on
If I had mod points... very well said!
^--- This! Remove the 4 minute wait.
OpenSSL has had a good working implementation of ECDSA/ECDH for years: http://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography
What exactly does BlackBerry have chained down that we don't have an open solution for?
Well, it's a start. As soon as they find a way to refresh the state at a regular frequency we'll be able to store (not just transmit) information with light. I hope it involves the use of tiny, tiny mirrors. =P
Consultants are mystical people who ask a company for a number and then give it back to them.