[47286] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Richard A Steenbergen)
Thu May 2 00:55:43 2002
Date: Thu, 2 May 2002 00:55:11 -0400
From: Richard A Steenbergen <ras@e-gerbil.net>
To: "Christopher L. Morrow" <chris@UU.NET>
Cc: Avleen Vig <lists-nanog@silverwraith.com>,
Pete Kruckenberg <pete@kruckenberg.com>,
"nanog@merit.edu" <nanog@merit.edu>
Message-ID: <20020502045511.GF523@overlord.e-gerbil.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.33.0205020421270.11583-100000@rampart.argfrp.us.uu.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, May 02, 2002 at 04:28:44AM +0000, Christopher L. Morrow wrote:
>
> Let me say this one more time... "RATE LIMITS DON'T DO SHIT TO STOP
> ATTACKS" for the victim atleast, all they do is make the job of the
> attacker that much easier. For instance:
>
> 1) I synflood www.avleen.org
> 2) you rate-limit syns to 1MB
> 3) I now only flood 1MB and I still win
>
> So, don't rely on a rate-limit as its not going to help.
Thank you, I can't make this point enough and people still say "we'll just
rate limit!". Filtering is only as good as your ability to DETERMINE WHAT
TO FILTER.
The only time you can get anything from this is when you admit defeat on
keeping your services responding to new connection but want to keep
existing connections and/or the end servers from failing completely.
Depending on the service in question this may or may not be a good goal.
--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
