[47340] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Thu May 2 13:12:51 2002
Message-Id: <5.1.0.14.2.20020502200201.01033818@max.att.net.il>
Date: Thu, 02 May 2002 20:07:31 +0200
To: Richard A Steenbergen <ras@e-gerbil.net>,
"LeBlanc, Jason" <Jml@ebay.com>
From: Hank Nussbacher <hank@att.net.il>
Cc: "'Pete Kruckenberg'" <pete@kruckenberg.com>, nanog@merit.edu
In-Reply-To: <20020502162301.GK523@overlord.e-gerbil.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
At 12:23 PM 02-05-02 -0400, Richard A Steenbergen wrote:
>Thats what the IP2 does, match bytes in the headers and come back with a
>thumbs down or a thumbs up and a destination interface. It's really not
>that much harder to match the bytes for a dest port against a compiled
>ruleset and decide yes or no then it is to match the dest address against
>a forwarding table and decide which nexthop.
Looking into the IP header is not enough. In order to filter DDOS packets
one has to look into the payload as well. I don't think routers are
suitable for that level of filtering (think advanced NBAR).
Hank
Consultant
Riverhead Networks (formerly Wanwall Networks)
www.riverhead.com
>They CAN filter on anything in the headers, it's just a matter of
>convincing them that the specific filter you want is something they should
>add to their software language and microcode. I'm sure as a core router
>vendor they must hear every feature request imaginable and not know which
>ones to follow up on. If anyone from Juniper is listening, I can tell you
>4 things to add which will stop all existing packet kiddie tools in their
>tracks. But then again, I'd rather just have a language for bitmatching at
>any offset. :)
>
>--
>Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
>PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
