[47281] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu May 2 00:33:56 2002
Date: Thu, 2 May 2002 04:33:13 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: <measl@mfn.org>
Cc: Pete Kruckenberg <pete@kruckenberg.com>, <nanog@merit.edu>
In-Reply-To: <Pine.BSF.4.21.0205012011040.825-100000@greeves.mfn.org>
Message-ID: <Pine.GSO.4.33.0205020431030.11583-100000@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 1 May 2002 measl@mfn.org wrote:
> True DDoS attacks, fortunately, are rarer than most people believe. If they
> were not, the Internet as we know it would look a lot more like a telephone
> system in USSR-at-it's-worst-days. For example, of the two recent DDoS's I
> have been on the receiving end of, the first was generating a little over
> 300mbit/sec (steady for a prolonged time), and the second went over that by a
> fair bit. In both cases, we had core equipment (M20's and BSN5000's) fall
> over and die trying to "work" the events. Additionally, our upstream peers
Your M20 tipped over?? What were you doing? We regularly stop large
(+100Mb->800Mb) attacks with less horsepower than this. Truthfully, a
cisco is even capable of filtering (done right) at +200kpps...
> also had core equipment fall over, and we all came the [now obvious]
> conclusion that the only way to stop these attacks was to completely null
> route ourselves at our upstreams (they tried filter-fishing for specific data
> which may have helped our investigation, but when their routers started
> wheezing, we gave them the OK to just send us straight into the bit bucket
> till it was over...
>
Hmm, this highlights the need to learn how to use the equipment, learn its
boundaries and learn defenses inside these boundaries...
-Chris
