[39686] in North American Network Operators' Group
Re: Advanced Countermeasures to prevent a Ddos
daemon@ATHENA.MIT.EDU (Basil Kruglov)
Fri Jul 20 01:18:03 2001
Date: Fri, 20 Jul 2001 00:22:13 -0500
From: Basil Kruglov <basil@cifnet.com>
To: nanog@merit.edu
Message-ID: <20010720002213.A28441@shell.cifnet.com>
Reply-To: nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4.3.2.7.2.20010720070521.00ad15a0@max.att.net.il>; from hank@att.net.il on Fri, Jul 20, 2001 at 07:22:28AM +0200
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote:
> It all hinges on your upstream ISPs. The things to ask for are:
>
> - SYN and ICMP rate limiting: If you buy a T3 from your upstream, you
> should ask that they place on *their* peering routers and on the router
> facing you, Cisco rate limits of about 512kb/sec of ICMP and about
> 128kb/sec of SYNs. Pay extra if need be.
512Kbps for ICMP? I'd go for 128Kbps if not less.
TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip.
It will take just one or two modems to take you down, as an example
someone portscanning your network.
Ask for hot [potential] targets only: ircd, shell systems, router interfaces.
Do it per box, plus same rules for all of your router interfaces heading the
big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP
traffic during life attack.
Before placing something permanent you need to adjust and play with this.
> - anti-spoofing: require your upstream ISPs to implement full anti-spoofing
> for incoming packets. That includes RFC1918, unassigned IANA blocks and
> (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco
> ip verify unicast reverse-path)
Sounds good. check 'ip verify unicast source reachable-via any' as well
http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf
new uRPF works if you're multihomed too.
> - BGP community: Your upstream should allow you to announce a BGP community
> for any sub-prefix in your IP block (meaning he has to not be strict in the
> length of the prefix you announce to him since it can change dynamically)
> that will me ROUTENULL, which means they eat the packets for you.
Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;)
> Find 2 upstreams who will agree to the above 3 items and you are 99% safe
> from dDoS.
And I can still take you down with
1. tcp fin
2. tcp psh
3. tcp rst
4. tcp ack
5. tcp urg
6. tcp frags
7. udp
8. ip frags
I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits
per your hot stuff and another ~10 for router interfaces. If you do manage to
get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids
can and most likely will find a hole to take you down, just takes time.
-Basil
