[47608] in North American Network Operators' Group
Re: Effective ways to deal with DDoS attacks?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Tue May 7 17:43:43 2002
Date: Tue, 7 May 2002 21:43:10 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: <vern@ee.lbl.gov>
Cc: Scott Francis <darkuncle@darkuncle.net>,
Pete Kruckenberg <pete@kruckenberg.com>, <nanog@merit.edu>
In-Reply-To: <200205071959.g47JxTO04161@yak.icir.org>
Message-ID: <Pine.GSO.4.33.0205072141320.11583-100000@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 7 May 2002 vern@ee.lbl.gov wrote:
>
> > It seems to me that the real issue in defending against an attack of this
> > type of differentiating between legitimate traffic and zombie traffic.
>
> Exactly. And while with today's DDoS attacks this is often not so hard,
> tomorrow's floods will be more carefully crafted so that there are no
> telltales that can be cheaply used to filter them out.
>
> Steve Bellovin and colleagues (me being one of them) have been working on
> a scheme called "Pushback", in which routers detect traffic aggregates
> that are burdening one of their links, and send pushback messages upstream
> to their peers responsible for the bulk of the traffic, asking them to
> rate-limit the aggregates. The key idea is that the upstream peers then
1) rate-limits aren't going to solve anything.
2) I'm pretty sure most providers aren't going to let customers determine
traffic engineering methods on their networks
3) if this is NOT done in a secure manner I bet I can make
www.whitehouse.com disappear... :)
-Chris
