[39495] in North American Network Operators' Group
RE: DDoS attacks
daemon@ATHENA.MIT.EDU (David Harmelin)
Thu Jul 12 12:47:03 2001
Message-Id: <4.2.2.20010712170411.044bae10@alpha.dante.org.uk>
Date: Thu, 12 Jul 2001 17:47:00 +0100
To: Roeland Meyer <rmeyer@mhsc.com>, "'up@3.am'" <up@3.am>,
nanog@merit.edu
From: David Harmelin <david.harmelin@dante.org.uk>
In-Reply-To: <EA9368A5B1010140ADBF534E4D32C728025A14@condor.mhsc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Errors-To: owner-nanog-outgoing@merit.edu
At 08:45 AM 7/12/01 -0700, Roeland Meyer wrote:
>This is the main point, a script-kiddie hunt, with prosecution, is the ONLY
>real deterrent. Throw some of them in hotel greybar and remove them from
>computing, for life, and we may see some of this turn around.
>
>If a lady wears skimpy clothing, does she deserve to get raped? Obviously,
>not. If a computer has skimpy protection, does it deserve to be turned into
>a zombie? Simply because you forget to lock your car one night (whilst in
>your driveway), do you deserve to have it stolen? If you leave a $100 on
>your kitchen table, in your unlocked house, whilst you are working in your
>garage, do I have the right to sneak in the back door and take it while
>avoiding prosecution, on the grounds that you were careless? WRT EFFnet,
>does a prostitute deserve to be raped?
By the way, for those who care, there are relatively easy ways to fight DoS attacks:
* use netflow and a bunch of scripts to detect them automatically
* use BGP to block them on all your border routers instantly, based on destination
* use BGP and Unicast RPF to block them on all your border routers instantly, based on source, if you really need to
With a combination of all that, you can automatically block any major attack at your border.
Is it scalable? Yes.
What about false alarms? We have implemented the detection bit.
With a bit of tuning, we get 0.1% of false alarms and yet catch an average of 15 attacks per day, above 500 pkts/s (up to 10000s pkts/s).
I wouldnt be surprised if Tier1 networks would catch much more attacks than that, with the same tool.
My point: block automatically 99% of the DoS attacks at the top 10 transit providers level, and we may see DoS attacks be a thing of the past.
"Kiddies only do it because they can".
DH.
___________________________________________________________________
* * David Harmelin Network Engineer
* * DANCERT Representative
* Francis House
* 112 Hills Road Tel +44 1223 302992
* Cambridge CB2 1PQ Fax +44 1223 303005
D A N T E United Kingdom WWW http://www.dante.net
____________________________________________________________________
