[34018] in North American Network Operators' Group
Re: Proactive steps to prevent DDOS?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Jan 26 23:56:54 2001
Message-Id: <200101270454.f0R4sCiI062372@black-ice.cc.vt.edu>
To: Sean Donelan <sean@donelan.com>
Cc: rja@inet.org, nanog@merit.edu
In-reply-to: Your message of "Fri, 26 Jan 2001 16:40:04 PST."
<20010127004004.20249.cpmta@c004.sfo.cp.net>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 26 Jan 2001 23:54:11 -0500
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 26 Jan 2001 16:40:04 PST, Sean Donelan said:
> Most are suggestions for what other networks can do to prevent them from
> being a source of a DDOS attack. There is less help for what the target
> of a DDOS can do.
Unfortunately, the current draft document for the Center for Internet Security
(www.cisecurity.org) Solaris security checklist suffers from the same problem.
It mandates RFC2644 broadcasts, RFC1918 martian and RFC2827 egress filtering,
but I couldn't find any stuff on the victim end of it.
If anybody can provide me with a good reference, I'll be happy to add it and
give credit. http://www.sans.org/dosstep/index.htm is what I have currently
on filtering. If you have a *partial* reference (something that will work
for *many* or *most* sites, for example), I am able to phrase it as
"Evaluate the techniques listed at <URL> for appropriateness".
Anybody got input to add?
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
