[47329] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Thu May 2 12:09:38 2002
Date: Thu, 2 May 2002 16:08:47 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Hank Nussbacher <hank@att.net.il>
Cc: Avleen Vig <lists-nanog@silverwraith.com>,
Pete Kruckenberg <pete@kruckenberg.com>,
"nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <5.1.0.14.2.20020502104821.00ff27a8@max.att.net.il>
Message-ID: <Pine.GSO.4.33.0205021608060.11583-100000@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 2 May 2002, Hank Nussbacher wrote:
>
> At 01:49 AM 02-05-02 +0100, Avleen Vig wrote:
>
> >As time goes by, tools are being developed (in fact they're used now) that
> >completely randomize the TCP or UDP ports attacked, or use a variety of
> >icmp types in the attack.
> >So cuurrently the only way you can 'block' such attacks is to block all
> >packets for the offending protocol as far upstream as you possibly can,
> >but this is not ideal.
> >
> >If you're being attacked by a SYN flood, you can ask try to rate-limit the
> >flood at your border (possible on Cisco IOS 12.0 and higher, and probably
> >other routers too?)
>
> ACLs have been a good tool for the past number of years to stop DOS attacks
> but they suffer one very bad feature - they throw away the good packets
> along with the bad packets. The same goes for CAR. The same goes for
> taking a /32 and null routing it. Consider Amazon being hit with a DDOS
> attack from random spoofed IPs to their web site. You can't block on
> source IP since it is random. If you block on destination IP - you end up
> taking Amazon off the network (the ultimate aim of the attacker) at a daily
> revenue loss of over $1M.
So, just filter and track quickly... move the block as far back as you
can. Have the customer remain agile also. :)
