Effective ways to deal with DDoS attacks?
Hank Nussbacher
hank at att.net.il
Thu May 2 09:03:14 UTC 2002
At 09:58 PM 01-05-02 -0400, Wojtek Zlobicki wrote:
The ultimate goal of the DDOS attack is to take a specific user/site
down. Blackholing is a way to help the attacker along. If the user is a
small site, we say "screw it" and do the null0 in order to save the ISP
backbone links. If the user is large (think eBay or any other major
e-commerce site), you wouldn't easily blackhole them in order to save the
rest of your network. You would try to find a better solution.
Hank
Consultant
Riverhead Networks (formerly Wanwall Networks)
www.riverhead.com
> > Then you are pushing out /32's and peers would need to accept them. Then
> > someone will want to blackhole /30's, /29's, etc. Route bloat. Yum!
>
>I am in no way proposing discounting current filtering rules. There are
>alway two
>different intersts one must consider, one that of the customer and two that
>of the service provider. If a large block must be filtered so be it.
>
>Where are providers drawing the line ? Anyone have somewhat detailed
>published policies as to what a provider can do in order to protect their
>nework as a whole.
>At what point (strength of the attack) does a customers netblock (assuming a
>/24 for
>example) get null routed by whichever party.
>
> > Anyways, some providers already allow you to set a community on a route,
> > and they will inturn "blackhole" it for you. I believe Teleglobe does
> > this for some customers and I know UUNet does this for all customers.
>
>When the attack is distributed, having one or two providers (even if they
>are UUNET
>or Teleglobe) is just not enough. Must private routing policy be developed
>in order to make my suggestion work. The reason that so many methods likely
>fail are the difficulty of implementation and low implementation.
More information about the NANOG
mailing list