[39687] in North American Network Operators' Group
Re: Advanced Countermeasures to prevent a Ddos
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Fri Jul 20 01:28:45 2001
Message-Id: <4.3.2.7.2.20010720082408.00ab97e0@max.att.net.il>
Date: Fri, 20 Jul 2001 08:27:25 +0200
To: nanog@merit.edu
From: Hank Nussbacher <hank@att.net.il>
In-Reply-To: <20010720002213.A28441@shell.cifnet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 00:22 20/07/01 -0500, Basil Kruglov wrote:
>On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote:
> > It all hinges on your upstream ISPs. The things to ask for are:
> >
> > - SYN and ICMP rate limiting: If you buy a T3 from your upstream, you
> > should ask that they place on *their* peering routers and on the router
> > facing you, Cisco rate limits of about 512kb/sec of ICMP and about
> > 128kb/sec of SYNs. Pay extra if need be.
>
>512Kbps for ICMP? I'd go for 128Kbps if not less.
YMMV. It all depends on how big a pipe you use. The numbers are examples
and each site would have to determine what number works best for them.
>TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip.
>It will take just one or two modems to take you down, as an example
>someone portscanning your network.
>
>Ask for hot [potential] targets only: ircd, shell systems, router interfaces.
>Do it per box, plus same rules for all of your router interfaces heading the
>big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP
>traffic during life attack.
>
>Before placing something permanent you need to adjust and play with this.
>
> > - anti-spoofing: require your upstream ISPs to implement full
> anti-spoofing
> > for incoming packets. That includes RFC1918, unassigned IANA blocks and
> > (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco
> > ip verify unicast reverse-path)
>
>Sounds good. check 'ip verify unicast source reachable-via any' as well
>http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf
>new uRPF works if you're multihomed too.
>
> > - BGP community: Your upstream should allow you to announce a BGP
> community
> > for any sub-prefix in your IP block (meaning he has to not be strict in
> the
> > length of the prefix you announce to him since it can change dynamically)
> > that will me ROUTENULL, which means they eat the packets for you.
>
>Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;)
>
> > Find 2 upstreams who will agree to the above 3 items and you are 99% safe
> > from dDoS.
>
>And I can still take you down with
>
>1. tcp fin
>2. tcp psh
>3. tcp rst
>4. tcp ack
>5. tcp urg
>6. tcp frags
>7. udp
>8. ip frags
>
>I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits
>per your hot stuff and another ~10 for router interfaces. If you do manage to
>get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids
I would be happy with even 90%. Life is never 100% - just a continuing
stream of compromises.
-Hank
>can and most likely will find a hole to take you down, just takes time.
>
>-Basil
