Recently I attended a talk on Speak-up a system that aims to prevent application level DDoS by forcing clients to expend extra bandwidth via a special request that is uniform in size. In this case through the use of an HTTP Post. This extra request is then processed by what they call a thiner which calculates the number of bytes sent thus far and stores it in a queue sorted largest to smallest. A request is passed on to the server(s) if it originates from the host at the front of the queue. Thus the server handles requests based on the amount of bandwidth expended by each host.
My major criticisms of the system are:
- Adding latency hurts the user experience
- You can't assume that the attacking machines will all be using all of their bandwidth as this is under the attackers control. Instead they could simply try to get more machines in their botnet.
- The increase in bandwidth could has repercussions for large sites.
In order to make it to the top of the queue you have to you have to transmit n units of bandwidth before being served.
As the paper states by deploying this system you're encouraging the exhaustion of bandwidth similarly to a network based DDoS attack. One side effect in most DDoS attacks is that various points / other networks across the path are affected by the increase in traffic not just the endpoint. Meaning that there could be unintended victims.