[34017] in North American Network Operators' Group
Re: Proactive steps to prevent DDOS?
daemon@ATHENA.MIT.EDU (Adam Rothschild)
Fri Jan 26 23:07:18 2001
Date: Fri, 26 Jan 2001 23:06:06 -0500
From: Adam Rothschild <asr@latency.net>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
Message-ID: <20010126230606.A68185@og.latency.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010126233550.2559.cpmta@c004.sfo.cp.net>; from sean@donelan.com on Fri, Jan 26, 2001 at 03:35:50PM -0800
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, Jan 26, 2001 at 03:35:50PM -0800, Sean Donelan wrote:
> Is there some magic command I can put into my router to help protect
> my network from a DDOS [...]
Closest command I've found is "no ip routing" in IOS, or "delete
family inet [...]" in JunOS.
That aside, there's something very basic that few people seem to
realize -- if you have no route to a destination, you can't initiate a
DDoS attack against it.
What's to prevent high-visibility shell/IRC/web/etc servers (read:
DDoS targets) from announcing their netblocks to their upstreams, and
then withdrawing these announcements -- either manually, or
automagically, using scripts monitoring rate limiting and pkt/sec
thresholds, amongst other things -- when under attack. Sure, that
would result in temporary loss of connectivity to said host, but
sometimes, that's the quickest way to stop a large attack.
This doesn't need to be a costly endeavor. Zebra is perfectly stable
when receiving no routes, and announcing a couple of networks at the
most. You'll find that lots of folks who have legacy class C (or B
even!) and AS number assignments they're not currently using, dating
back to before the ARIN charged for such things, are more than willing
to transfer/lend them to you when you ask politely. Don't believe me?
Try it sometime.
-adam
