[45102] in North American Network Operators' Group
Re: Growing DoS attacks
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Jan 16 18:56:03 2002
Date: Wed, 16 Jan 2002 18:53:44 -0500
From: Jared Mauch <jared@puck.Nether.net>
To: Paul Timmins <paul@timmins.net>
Cc: Pascal Gloor <pascal.gloor@spale.com>, nanog@nanog.org
Message-ID: <20020116235344.GB30436@puck.nether.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.1.0.14.2.20020116184833.0344b630@new.workbench.net>
Errors-To: owner-nanog-outgoing@merit.edu
I think the point is that (despite everyones thoughts
that use it) IRC is not considered a super-important network service
these days. If the irc server is dampened or the attack can't reach it
it just penalizes the compromised host(s) network(s) more than the
person who hosts the irc server.
- jared
On Wed, Jan 16, 2002 at 06:49:48PM -0500, Paul Timmins wrote:
>
> What about BGP route flap dampening, people use that, don't they?
> -Paul
>
> At 06:12 PM 1/16/2002, you wrote:
> >Get a box, and run Zebra BGPD, which will announce that /24 to your
> >network.
> >Then do a script which monitors the traffic to the irc server, and on a
> >certain threshold, kill BGPD. wait a certain time, like 15minutes or so,
> >and
> >restart BGPD. It would be nice to check the traffic every minute and if 2
> >consecutive checks are positive kill bgpd. That mean that you may be able
> >to STOP dDoS to irc servers within 2-3 minutes...
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
