[34124] in North American Network Operators' Group
Re: Proactive steps to prevent DDOS?
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Mon Jan 29 02:30:31 2001
Message-Id: <4.3.2.7.2.20010129091925.00ab5b80@max.ibm.net.il>
Date: Mon, 29 Jan 2001 09:27:26 +0200
To: Jeff Ogden <jogden@merit.edu>, nanog@merit.edu
From: Hank Nussbacher <hank@att.net.il>
In-Reply-To: <v04210102b698b7316f67@[198.108.90.150]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 12:52 27/01/01 -0500, Jeff Ogden wrote:
>>At 4:15 PM -0800 1/26/01, Sean Donelan wrote:
>>Fine, does this work better for you?
>>
>>Help me, what proactive steps can I take to protect my network from a DDOS?
>
>There isn't a lot that can be done, but there are a few steps you can take
>to "get ready" for a DDOS attack.
>
> --Make sure you have monitoring of your routers or firewalls in place
> so you'll get an early alert of a possible DOS attack. This will at
> least allow you to start working on the problem (and drafting
> press releases :-).
> --Talk to all of your up stream providers so you know how to contact and
> work with them if they are a source of a DOS attack against you. If your
> up stream provider isn't willing to work with you on this, start the
> process of getting a new up stream provider.
>
> --Look into the systems that are being developed and starting to become
> available that help automate the work to diagnose DDOS attacks.
> Encourage your up streams to do the same.
I know of just Asta Networks:
Asta Networks claims cure for denial-of-service attacks, Jan 17, 2001
http://www.nwfusion.com/news/2001/0117ddos.html
Firm eyes DOS attacks, Jan 22, 2001
http://www.nwfusion.com/archive/2001/115979_01-22-2001.html
Can you elaborate on others you may know?
-Hank
> --Make sure you have in place the filtering on your own networks that you
> wish everyone else had in place on their networks. This won't protect
> you from being attacked, but it will prevent you and your users from
> attacking others (or at least using spoofed IP addresses to do so), and
> that in turn may prevent you from being the target of a retaliatory DOS
> attack. It can also prevent or limit the spread of a DOS attack that
> originates within your network or from someone down stream. From your
> customer's point of view there may not be much difference between
> you being the source of or the target of a DOS attack--either way
> performance is likely to be poor and customers are likely to be unhappy.
>
> -Jeff Ogden
> Merit
