[54424] in North American Network Operators' Group
Re: DDos syn attack
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Mon Dec 30 10:33:50 2002
Date: Mon, 30 Dec 2002 15:30:43 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Mike Hyde <mhyde@escape.ca>
Cc: <nanog@merit.edu>
In-Reply-To: <1041259466.12500.3.camel@mike-laptop.mts.net>
Errors-To: owner-nanog-outgoing@merit.edu
On 30 Dec 2002, Mike Hyde wrote:
>
> Just wondering how people have delt with DDOS syn attacks on port 80 of
> a customers server? We had an attack a couple of days ago, and it
1) acl the traffic (Stop immediate pain)
2) blackhole ip in question
3) track via: http://www.secsup.org/Tracking/ to ingress points on your
network
4) acl traffic inbound there
5) remove blackhole and acl toward customer
Finish in ~10 mins... customer is back online and happy.
> overwelmed both the customers firewall and, when we tried to turn up
> filtering on a 7600 cisco router, the router also. We ended up having
> the customer change his IP for the site under attack. We were lucky in
> that the attack was against an IP and not the DNS name.
> --
This is also a very viable solution, provided the customer has provisioned
for this with lower ttls on their DNS records, which ALOT of people
(thankfully) don't do... also, sometimes customers don't know how to do
this, eh? :(
