6154Re: [decentralization] Saaf testimony
- Oct 2, 2002A co-worker of mine has implemented a de-centralized version of an
artificial immune system that would seem ideal for this application.
The system can recognize "self" and will flag "not-self." I know
this description is vague, but my co-worker isn't around right
now (9:00 pm) to help me out. For details on artificial immune
systems, look at http://www.cs.unm.edu/~forrest/papers.html,
particularly "Architecture for an Artificial Immune System" on
Curiously, although this work is ideally suited to a de-centralized
system, all the implementations so far have been on a single
machine, with the exception of my co-worker's. I'll ask him
tomorrow if he would be willing to post his recent conference
My initial thought for implementation is that "self" is defined as
the attacking IP addresses, and "not-self" is anything else.
Packets coming from "self" addresses get logged and ignored, while
packets from "not-self" addresses are allowed in as normal.
Kevin Prichard wrote:
> On 2 Oct 2002, Wes Felter wrote:
>>On Wed, 2002-10-02 at 15:07, Lucas Gonze wrote:
>>>>This type of DDoS is different, in that it is not relying on sheer traffic
>>>>to implement a DoS, but issuing a number of file requests to tie up available
>>>>download slots on peers sharing copyrighted content.
>>>>This is certainly technically feasable, and if they used a distributed network
>>>>themselves to implement the attacks it would be hard to defend against.
>>>Hm, ok, so servents stop using upload slots and instead let uploaders use
>>>all available bandwidth, just like standard web servers.
>>An obvious extension of these two ideas is to open a very large number
>>of idle connections to each Gnutella node, possibly exploiting hard
>>limits or non-scalability in the Windows 9x TCP stack.
> Even if the attack is distributed, my hunch is an attack coming from a
> given IP is an IP that will never be connected to a valid, human-operated
> gnutellanet client. Blocking said IPs could be done, but identifying when
> a downloader is Them (on a per-IP basis) may be difficult, as all
> characteristics of today's clients can be mimic'd.
> Identifying IPs belonging to Them may require pattern analysis of these
> "attacks" across many nodes, which means sharing, possibly pooling,
> knowledge -not really good for decentralization. And, p2p being
> distributed, they can present data themselves, to bias away from their
> pool of IPs. Hrm.
> Just about anything that an author can build into a client can be
> reverse-engineered and added to the DoS code. I wonder if there exists a
> kind of "proof of membership" scheme whereby peer connection records could
> be signed or encrypted, deposited in a distributed pool for analysis.
> Records from actual human-operated clients, posessing proper
> proof-of-membership credential, could be separated from DoS client
> NNTP is a kind of decentralized, rolling database that could be used for
> depositing and pooling connect records. Just about all ISP accounts have
> NNTP access, it hasn't been legislated away (yet.) Problem is, any
> decentralized means by which records get analysed can be used against
> clients wanting to deny service to the DoSers. Unless they are encrypted
> with a public key, and the analysis is carried out by a central node (on
> Sealand. ;^)
> To unsubscribe from this group, send an email to:
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
- << Previous post in topic Next post in topic >>