[103265] in North American Network Operators' Group
Re: Mitigating HTTP DDoS attacks?
daemon@ATHENA.MIT.EDU (Tim Yocum)
Mon Mar 24 19:25:05 2008
Date: Mon, 24 Mar 2008 18:18:20 -0500
From: "Tim Yocum" <tim@yocum.org>
To: "Roland Dobbins" <rdobbins@cisco.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <52BC3371-8B37-4832-A860-553571FB0181@cisco.com>
Errors-To: owner-nanog@merit.edu
On Mon, Mar 24, 2008 at 5:18 PM, Roland Dobbins <rdobbins@cisco.com> wrote:
> There are devices available today from different vendors (including
> Cisco, full disclosure) which are intelligent DDoS-'scrubbers' and
> which can deal with more sophisticated types of attacks at layer-7,
> including HTTP and DNS. S/RTBH is also an option, keeping in mind
> some of the caveats you mentioned (staying mindful of attacking hosts
> behind proxies, botted hosts of legit customers, et. al.).
Citrix (Netscaler), F5 (BIG-IP), and as Roland mentioned, Cisco, all
offer varying levels of security for the content layer.
If you're running Apache, you may also investigate mod_evasive, and in
the case of exploits, mod_security.
Naturally, your ability to filter and contain the attack with software
is going to be limited by the host hardware, so it's best to take a
layered approach to mitigating various attacks you face. Also
important to be aware of your network architecture lest you find
yourself with DDoS bits clogging the pipes just before your
(expensive) defenses. :-)
- Tim
