draft DDoS sidebar

Author: llpeterson

infra.rst

@@ -7,3 +7,49 @@ Chapter 8. Securing Network Infrastructure
 8.2 DNS
 ----------
 
+.. admonition:: DDoS Defense
+
+   Capacity is another aspect of network infrastructure that is
+   vulnerable to malicious attack.  Such attacks—or as they are
+   commonly known, *Denial of Service (DoS)* attacks—threaten
+   availability (as opposed to confidentiality or integrity). They
+   typically involve an adversary trying to overwhelm "good" resources
+   (link bandwidth, packet forwarding rates, server response
+   throughput) with traffic generated by "bad" resources (botnets
+   constructed from a distributed collection of compromised
+   devices). Many of the defenses described in this book help protect
+   devices from being compromised in the first place, but because they
+   are not perfect (a human is usually the weakest link), we also need
+   ways to mitigate the impact of a *Distributed DoS (DDoS)* attacks.
+
+   The DDoS challenge is addressed by two general countermeasures;
+   there is no silver bullet. The first is to absorb potential attacks
+   with even greater resources than the adversary is able to
+   muster. For content, this is done using the same mechanism as is
+   used to absorb flash crowds of legitimate traffic: a *Content
+   Distribution Network (CDN)*. The idea is to replicate content
+   (whether it's a movie or a critical piece of infrastructure
+   metadata) across many, widely-distributed servers. As long as the
+   aggregate capacity of these servers is greater than the aggregate
+   capacity of the botnet, content remains available. This notion of
+   *aggregate* capacity generalizes beyond servers responding to GET
+   requests. A network is itself a distributed collection of
+   forwarding and transmission resources, engineered to distribute
+   those resources in a way that avoids vulnerable bottlenecks.
+
+   The second countermeasure is to filter malicious traffic as early
+   (close to the source) as possible.  If a DoS attack comes from a
+   single source, then it is easy to "block" traffic from from that
+   source at an ingress to a network you control. This is why DoS
+   attacks are typically distributed.  Dropping (or rate limiting)
+   attack packets at the boundary router (or firewall) for an
+   enterprise is better than allowing those packets to flood the local
+   network and reach a victim server, but the more widely distributed
+   the periphery of your network, the earlier you can filter malicious
+   packets. And drawing on the first countermeasure, the more widely
+   distributed your network resources are, the greater your aggregate
+   filtering capacity. Global overlay networks, as provided by
+   companies like Cloudflare and Fastly, offer a combination of
+   content distribution and distributed packet filtering.  These are
+   commercial products, with many proprietary details, but the general
+   principles outlined here explains the underlying strategy.