Proactive steps to prevent DDOS?
Adam Rothschild
asr at latency.net
Sat Jan 27 04:06:06 UTC 2001
On Fri, Jan 26, 2001 at 03:35:50PM -0800, Sean Donelan wrote:
> Is there some magic command I can put into my router to help protect
> my network from a DDOS [...]
Closest command I've found is "no ip routing" in IOS, or "delete
family inet [...]" in JunOS.
That aside, there's something very basic that few people seem to
realize -- if you have no route to a destination, you can't initiate a
DDoS attack against it.
What's to prevent high-visibility shell/IRC/web/etc servers (read:
DDoS targets) from announcing their netblocks to their upstreams, and
then withdrawing these announcements -- either manually, or
automagically, using scripts monitoring rate limiting and pkt/sec
thresholds, amongst other things -- when under attack. Sure, that
would result in temporary loss of connectivity to said host, but
sometimes, that's the quickest way to stop a large attack.
This doesn't need to be a costly endeavor. Zebra is perfectly stable
when receiving no routes, and announcing a couple of networks at the
most. You'll find that lots of folks who have legacy class C (or B
even!) and AS number assignments they're not currently using, dating
back to before the ARIN charged for such things, are more than willing
to transfer/lend them to you when you ask politely. Don't believe me?
Try it sometime.
-adam
More information about the NANOG
mailing list