[47282] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu May 2 00:37:32 2002
Date: Thu, 2 May 2002 04:36:52 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Wojtek Zlobicki <wojtekz@idirect.com>
Cc: <measl@mfn.org>, <nanog@merit.edu>
In-Reply-To: <014401c1f17a$1f2299f0$6401a8c0@ender>
Message-ID: <Pine.GSO.4.33.0205020433440.11583-100000@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 1 May 2002, Wojtek Zlobicki wrote:
>
> > > What processes and/or tools are large networks using to
> > > identify and limit the impact of DDoS attacks?
> >
> > A great deal of thought is being expended on this question, I am certain,
> > however, how many of these thought campaings have born significant fruit
> yet,
> > I do not know.
>
> How about the following :
>
> We develop a new community , being fully transitive (666 would be
> appropriate ) and either build into router code or create a route map to
> null route anything that contains this community. The effect of this being
> the distribution of the force of the attack.
How about no. How about you do this inside YOUR network, perhaps get an
agreement with your peers to accept a /32 route from you and you can do it
with your peers also in times of need... There is something ominous about
'automagically propogating' a blackhole route.
1) I hack connected ISP X
2) I inject www.ebay.com /32 blackhole route
3) no more ebay
I use ebay as an example of course, I wouldn't want them harmed cause how
would I be able to buy all that nice routing gear at bargain basement
prices without them? :)
>
> This aside, how effective would be using a no export community with ones
> peers (being non transitive, it would still distribute the force of the
> attack).
For YOUR PEERS this is a fine idea, provided this fits with your peer's
edge policies and doesn't step on his already-used community.
