I'm really concerned that DDOS attacks are going to lead to the death of the open Internet and its balkanization and isolation behind walled gardens. If you look at where Cloudflare and some of the big clouds are going with their private networks, private backplanes, and "secure your traffic by putting it all over our network" zero trust plans it seems to be going that way.<p>If open peering and the open Internet are to survive I think serious work needs to be done to fight DDOS attacks. It needs to be an effort analogous to the "war on spam" in the late 1990s / early 2000s. Unfortunately that war was sort of lost; e-mail is in practice barely an open protocol anymore and almost all e-mail is handled by a few giant companies that can leverage big data to filter spam. If you try to DIY a mail server you'll be simultaneously hit by spam and have to constantly fight mistaken filtration by larger e-mail providers who tend to distrust small mail servers by default.<p>If the open Internet succumbs to DDOS "spam," we will lose something really huge and important. It would be the ultimate casualty of what so far has been almost a law (with very few exceptions): all open systems are destroyed by abuse if they become sufficiently popular.<p>We also can't just leave it to the free market because the only solution the market will likely come up with is walled gardens. It's the easiest to engineer solution and the easiest to monetize.
Seems like a potential mitigation would be to send the affected devices a small stream of packets that tell them to generate traffic for e.g. an invalid IP, local IP, or their own public IP.<p>Once that hits, the device would then be sending the traffic harmlessly to /dev/null for the next 14 hours and be unavailable for attacks.<p>Not sure about the legal and ethical implications of that.
Tracking down these systems is easy, so these issues can normally be solved pretty easily.<p>Thats because typically any amplification vector doesn't allow the source IP of the amplifier to be spoofed. So as soon as a DDoS attack begins, a sample of the packets can be taken to get a list of the amplifiers used. Those can then be tracked down and patched to no longer act as amplifiers.
Is it just me, or does it seem crazy that we all just accept that private businesses are obligated to protect themselves from state-sponsored hacking?
Imagine if Wal-Mart had to fund a private air force and patrol over their stores in order to combat foreign bombers coming in and everyone was like, "Yeah, that's just how it goes."<p>Isn't a primary responsibility of government to protect its citizens and businesses from other states' militaries?