[47300] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Thu May 2 04:18:43 2002
Message-Id: <5.1.0.14.2.20020502111253.00fc79a0@max.att.net.il>
Date: Thu, 02 May 2002 11:15:28 +0200
To: "Christopher L. Morrow" <chris@UU.NET>,
Pete Kruckenberg <pete@kruckenberg.com>
From: Hank Nussbacher <hank@att.net.il>
Cc: <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.33.0205020412570.11583-100000@rampart.argfrp.us
.uu.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 04:16 AM 02-05-02 +0000, Christopher L. Morrow wrote:
>What we use and we're a 'largeish' network:
>
>http://www.secsup.org/Tracking/
>(shameless plug #1)
>
>Among other things this is a tool we use... there was a great set of
>slides and presentation given at NANOG23:
>
>http://www.nanog.org/mtg-0110/greene.html
>(shameless plug #2)
Shameless plug #3 from RIPE41:
http://www.ripe.net/ripe/meetings/archive/ripe-41/tutorials/eof-ddos.pdf
155 slides - 2.3M
-Hank
Consultant
Riverhead Networks (formerly Wanwall Networks)
www.riverhead.com
>There is also a set of papers Barry Greene from Cisco has available on the
>Cisco website... I'm positive he'll respond to this with the link, if he
>doesn't search the NANOG mailing list archive for the link it should be
>obvious in posts from Barry.
>
>If you want more pointers I'd be glad to chat on the phone with you,
>numbers included below.
>
>
>--Chris
>(chris@uu.net)
>#######################################################
>## UUNET Technologies, Inc. ##
>## Manager ##
>## Customer Router Security Engineering Team ##
>## (W)703-886-3823 (C)703-338-7319 ##
>#######################################################
>
>On Wed, 1 May 2002, Pete Kruckenberg wrote:
>
> >
> > There's been plenty of discussion about DDoS attacks, and my
> > IDS system is darn good at identifying them. But what are
> > effective methods for large service-provider networks (ie
> > ones where a firewall at the front would not be possible) to
> > deal with DDoS attacks?
> >
> > Current method of updating ACLs with the source and/or
> > destination are slow and error-prone and hard to maintain
> > (especially when the target of the attack is a site that
> > users would like to access).
> >
> > A rather extensive survey of DDoS papers has not resulted in
> > much on this topic.
> >
> > What processes and/or tools are large networks using to
> > identify and limit the impact of DDoS attacks?
> >
> > Thanks.
> > Pete.
> >
> >
