[47303] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Scott Francis)
Thu May 2 04:39:18 2002
Date: Thu, 2 May 2002 01:37:07 -0700
From: Scott Francis <darkuncle@darkuncle.net>
To: Pete Kruckenberg <pete@kruckenberg.com>
Cc: nanog@merit.edu
Message-ID: <20020502083707.GC1156@darkuncle.net>
Mail-Followup-To: Scott Francis <darkuncle@darkuncle.net>,
Pete Kruckenberg <pete@kruckenberg.com>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-ripemd160;
protocol="application/pgp-signature"; boundary="Y5rl02BVI9TCfPar"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.33.0205011711080.5350-100000@minot.kruckenberg.com>
Errors-To: owner-nanog-outgoing@merit.edu
--Y5rl02BVI9TCfPar
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, May 01, 2002 at 05:18:24PM -0600, pete@kruckenberg.com said:
[snip]
> A rather extensive survey of DDoS papers has not resulted in
> much on this topic.
>=20
> What processes and/or tools are large networks using to
> identify and limit the impact of DDoS attacks?
It seems to me that the real issue in defending against an attack of this
type of differentiating between legitimate traffic and zombie traffic. This
seems to be self-evident, but on a distributed scale, how _would_ one tell
the difference between a host/netblock that's making a lot of requests to a
busy site (amazon.com, say) and a host/netblock that's sending a lot of
zombie requests, especially when both sets of requests are bound for the sa=
me
ports (80/443 in this case) on the same IP/set of IPs? The more D the DoS,
the more difficult it becomes to tell what's legit and what's not.
(Stating the obvious again, I know, but it helps me think. :) )
--=20
Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t
Systems/Network Manager sfrancis@ [work:] t o n o s . c o m
GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
--Y5rl02BVI9TCfPar
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQIXAwUBPND6sogCD7rLM8ynFANUHAf+PiS+GJ4WWigXNutbJZFYVDl9b4Zybw6z
BERIbKc3UdwUIP2g0yuZHqbH4swrqgOLz5WmSyB8kmKjAD7RNja2OLRRnrBZfvq3
KvfhCt1wt/1DmM6nYIBuczSww9mzkqYqRYhx5O35XTxLNS+42F5PGhqGTJnN9hfY
wlkX9XPESg1C0QKDfsnB+NSxTnx5mZ0z2DcHkxf5yHqNuR+DLLD918RVuxyv/atL
e1CXZNaY4jbo9Rfbemsf5QDSBcBLolwuPqrfcuXsqFsP3lJOS49j/zTdc1JFJc52
yRpTaS3g1v/lulr4Z/dOS9+QrB6ir5bnN3bqJmhDJROQJj/hYtvXowf/dBIYsnNU
VVctScOOpamI2j/yQYF+qbtoiNEPY/l5MvwCFZgncmQBMwrZJAFX0A0kfHDskdVR
oyZpsT2a7CKRvPETLTurT3UQ9oaEpZmldNbYgJ/ehzCB/3+rBsbXpm4oaCC+C6il
m1UAneDO9LmY6BFfP7gJyddRduqOOdQVnrcjGtzoll1TOcQnHtMCbjo4yjchctEi
1BdQw389B88KPjcb6HsM5WUOUzFfC1K32As+mBo85dOg1/3R8ktyEMImrJMr656l
gkIAVEKLkR2RQ4BPd+EHewS+kahBiCuHuf4l/mMpIG/Wp2RwjL47wTqXH0TYdQXb
bBn8QDBjcNVQlw==
=ynea
-----END PGP SIGNATURE-----
--Y5rl02BVI9TCfPar--
