[103285] in North American Network Operators' Group
RE: Mitigating HTTP DDoS attacks?
daemon@ATHENA.MIT.EDU (Darden, Patrick S.)
Tue Mar 25 09:05:07 2008
Date: Tue, 25 Mar 2008 08:33:12 -0400
In-Reply-To: <1b5c1c150803241502g647465b4n549ba5149118bffc@mail.gmail.com>
From: "Darden, Patrick S." <darden@armc.org>
To: "Mike Lyon" <mike.lyon@gmail.com>, "NANOG" <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
Hi Mike,
Depending upon the type of DDOS, there are five things you should do in =
order:
1. immediate response: set your host based security to mitigate the =
attack. E.g. mod_security for Apache web server, IPTables for host =
firewall. This will keep the hard drives from filling up, the cpu from =
smoking, etc.
2. second response: gateway router or border firewall. Filter that =
stuff out if you can. This will keep your internal network clean so it =
won't affect your other systems. One quickie *temporary* fix would be =
to block whole networks of DSL/Cable modems. There are lists out there =
specifically for this--always-on broadband home PCs are a often the =
compromised sources of attacks. =20
3. third response: contact your upstream providers and ask them to take =
action. They can apply filters, and apply pressure to their colos.
4. make sure you have done your part: secure your network so it cannot =
be used for DOS attacks by applying egress filtration etc. ( =
http://www.sans.org/dosstep/ ); secure your hosts against future DOS =
attacks using things like mod_security and mod_evasive for Apache, =
tcplimit for IPTables, or etc.
One caveat: bandwidth flooding effects can be mitigated, but you can't =
really do anything about it other than contacting your upstream =
provider. Until your provider does something, the bottleneck here is =
your uplink.
--Patrick Darden
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
Mike Lyon
Sent: Monday, March 24, 2008 6:02 PM
To: NANOG
Subject: Mitigating HTTP DDoS attacks?
Howdy all,
So, i'm kind of new to this so please deal with my ignorance. But,
what is common practice these days for HTTP DDoS mitigation during an
attack? You can of course route every offending ip address to null0 at
your border. But, if it's a botnet or trojan or something, It's coming
from numerous different source IPs and Null0 routes can get very
cumbersome. obviously. How do you folk usually deal with this?
Any input would be greatly appreciated.
Cheers,
Mike
