Is the idea of IPFS rendering DDoS attacks impossible hyperbole?

From @aronayne on Wed Aug 31 2016 15:55:39 GMT+0000 (UTC)

Reading this techcrunch article : https://techcrunch.com/2015/10/04/why-the-internet-needs-ipfs-before-its-too-late/ it states

IPFS also addresses security problems that plague our HTTP-based Internet: Content-addressing and content-signing protect IPFS-based sites, making DDoS attacks impossible.

The statement "making DDoS attacks impossible seems implausible ? Every site is fundamentally vulnerable to a DDoS attack as it exposes it’s domain name. How does IPFS fix this ? Is it somehow related to if a node becomes offline due to DDoS an alternative node replaces the offline node to serve content, but in this scenario the domain name of the node is changed ?


Copied from original issue: https://github.com/ipfs/faq/issues/171

From @jbenet on Wed Aug 31 2016 20:04:36 GMT+0000 (UTC)

You can reference content without domain names. And you can use ipns names
which can be distributed too.
On Wed, Aug 31, 2016 at 11:55 AM adrian-git-hub-user <
notifications@github.com> wrote:

Reading this techcrunch article :
https://techcrunch.com/2015/10/04/why-the-internet-needs-ipfs-before-its-too-late/
it states

IPFS also addresses security problems that plague our HTTP-based Internet:
Content-addressing and content-signing protect IPFS-based sites, making
DDoS attacks impossible.

The statement "making DDoS attacks impossible seems implausible ? Every
site is fundamentally vulnerable to a DDoS attack as it exposes it’s domain
name. How does IPFS fix this ? Is it somehow related to if a node becomes
offline due to DDoS an alternative node replaces the offline node to serve
content, but in this scenario I the domain name of the node is changed ?


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/ipfs/faq/issues/171, or mute the thread
https://github.com/notifications/unsubscribe-auth/AAIcoXYmx-sIy8YHbgi_ylDGS-bs8UG4ks5qlaP8gaJpZM4JxxiN
.

From @aronayne on Wed Aug 31 2016 21:06:20 GMT+0000 (UTC)

thanks @jbenet , can you point me to a document describing mechanics of referencing content without domain name ?

From @Ghoughpteighbteau on Wed Aug 31 2016 21:35:12 GMT+0000 (UTC)

OK so I have a pretty weak understanding in this area. As in, I’m not sure why a site is fundamentally vulnerable to a DDoS attack because it exposes its name.

but here’s an example doc on how to use IPFS’s naming system: https://ipfs.io/ipfs/QmTkzDwWqPbnAh5YiV5VwcTLnGdwSNsNTn2aDxdXBFca7D/example#/ipfs/QmQwAP9vFjbCtKvD8RkJdCvPHqLQjZfW7Mqbbqx18zd8j7/ipns/readme.md

you can find examples like this indexed here: https://ipfs.io/docs/examples/

From @theobat on Tue Sep 27 2016 15:41:36 GMT+0000 (UTC)

Not sure I understand why it’s theoretically impossible here @jbenet and I find the mind experiment interesting. Let’s say Alice is in the same LAN as Bob and Alice tries to access some files over ipfs, if Bob actually floods the bandwidth with requests to the same content it should make Alice calls fail no ? (Assuming no one in this LAN ever accessed this content before… meaning you have to reach other nodes to get it, that makes a significant difference from the current Dos attacks).
You could implement that by forcing gc as soon as the content has been acquired right (or perhaps simply by refusing to make it public)?

I mean I don’t see why you can’t deny the actual content access based on IO saturation… Even if the content blocks are spread across multiple nodes, as long as you can flood all the paths to all the blocks…
I guess the feasibility of this idea highly depends on the number of nodes sharing the specific content… But even with a high redundancy at a given time, why couldn’t you have multiple persons from multiple LANs querying simultaneously this specific content in an obfuscating way ?

I only have a limited understanding of ipfs which I am currently trying to improve (by reading stuff), so please tell me any (obvious or complex) flaw I didn’t catch in my thought process.
sources :

  • How does Resolution and Routing work with IPFS? #48
  • High Availability #121
  • IPFS replication factor #89

From @raptortech-js on Tue Dec 06 2016 22:25:57 GMT+0000 (UTC)

@theobat generally, local attacks on specific clients are not considered in the DDoS threat model. Traditional DDoS attacks focus on one or a few data centers hosting a web service. One of the obvious differences with IPFS is that there may be many nodes hosting a piece of content distributed over a large area, so flooding all of them is more difficult. Also, by default many web servers will do a lot of work for each HTTP request that reaches them, so you don’t have to send too many to pin a server’s CPU or disk or outgoing bandwidth. By contrast, IPFS protects against these high-level attacks the same way it protects against leechers; by refusing to share blocks with nodes that aren’t being helpful. Attackers can still conduct lower-level attacks, which are generally focused on saturating a node’s inbound network connection. There are only a few ways to protect against this: (1) ask your upstream provider (ISP) to pretty please block the offending IP addresses, so they can’t fill up your network connection, and two (2) get a bigger pipe. It is typically very hard to convince an ISP to go with 1. In the standard web ecosystem, you can simulate (2) by using a CDN service like CloudFlare which has some very large pipes and can effectively block even an extremely large attack. In IPFS, all you can really do is try to convince other nodes to pin your files. If there are enough nodes, you can collectively have a higher bandwidth than the attacker.
(Note: I made quite a few simplifications and assumptions here.)

From @theobat on Wed Dec 07 2016 00:00:06 GMT+0000 (UTC)

thanks for the thorough explanation @raptortech-js, still many things to learn

From @xloem on Sun Jan 08 2017 21:42:50 GMT+0000 (UTC)

IPFS is vulnerable to content attacks because it uses protocols that are. It uses s/kademlia which associates ip addresses with hashes in order to make attacks on the network difficult, but an adversary which can perform DDOS has access to many ip addresses, so can still freely attack the DHT and remove content. It uses bittorrent which publicizes all peers holding the content, so they can be attacked individually to make the content inaccessible. The attack model is different, but the issue is still there.