[70669] in North American Network Operators' Group
Re: handling ddos attacks
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Fri May 21 00:41:17 2004
Date: Fri, 21 May 2004 07:39:20 +0200
To: "Wayne E. Bouchard" <web@typo.org>
From: Hank Nussbacher <hank@mail.iucc.ac.il>
Cc: nanog@merit.edu
In-Reply-To: <20040520190023.GA79495@typo.org>
Errors-To: owner-nanog-outgoing@merit.edu
At 12:00 PM 20-05-04 -0700, Wayne E. Bouchard wrote:
>I too would be interested if someone could point a good white paper
>for cisco DDOS protection mechanisms and best practices in general.
For Cisco specific ideas try:
http://www.ripe.net/ripe/meetings/archive/ripe-41/tutorials/eof-ddos.pdf
specifically slides 86-92 and 105-127.
-Hank
>On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent wrote:
> >
> > I've been trying to find out what the current BCP is for handling ddos
> > attacks. Mostly what I find is material about how to be a good
> > net.citizen (we already are), how to tune a kernel to better withstand
> > a syn flood, router stuff you can do to protect hosts behind it, how
> > to track the attack back to the source, how to determine the nature of
> > the traffic, etc.
> >
> > But I don't care about most of that. I care that a gazillion
> > pps are crushing our border routers (7206/npe-g1).
> >
> > Other than getting bigger routers, is it still the case that the best
> > we can do is identify the target IP (with netflow, for example) and
> > have upstreams blackhole it?
> >
> > Thanks,
> > -mark
>
>---
>Wayne Bouchard
>web@typo.org
>Network Dude
>http://www.typo.org/~web/
