[wangg]

Can someone explain the impact of widely-distributed fiber on DDOS attacks? As I understand it, if 1-2 of these nodes get compromised, then add in the 10-100x magnification via DNS, you're looking at 10-100gigabits of bandwidth off only two nodes? Compared to the recently published high of 300, this seems disproportionally high.

[X-Istence]

Let's get providers to stop packets from leaving their network when the IP source doesn't match any on their network.

Bye bye DNS amplification.

[AnthonyMouse]

Those attacks only work from networks that don't impose egress filtering.

[r00fus]

DNS amplification as a strategy is a symptom of shitty network management on the part of incumbent ISPs.

I'm pretty sure Google will be more responsive in addressing these kinds of outbreaks.

[djrogers]

Pedantically speaking, it's difficult - in fact darned near impossible - for a single residential type host (ie, likely a laptop running windows) to utilize anywhere near the full 1Gb capacity offered.

That said, a botnet host running on this network would be substantially more capable of causing damage than a host on an 8Mbps upstream.

Hopefully google has plans or already has implemented some ability to mitigate that type of problem...

[kamkazemoose]

I'm curious what the size of the upstream pipe is? Is it 1G up/down? Even without DNS amplification, it only takes infecting a couple hundred machines on fiber to have a massive botnet. Hopefully ISPs will better handle DDoS attacks, because likely a few host machines could take down many sites.

[cbhl]

Luckily, if a node becomes compromised, it can be disconnected under the "you can't run servers" provision of the ToS. :)