Proactive steps to prevent DDOS?

Jeff Ogden jogden at merit.edu
Sat Jan 27 17:52:25 UTC 2001


>At 4:15 PM -0800 1/26/01, Sean Donelan wrote:
>Fine, does this work better for you?
>
>Help me, what proactive steps can I take to protect my network from a DDOS?

There isn't a lot that can be done, but there are a few steps you can 
take to "get ready" for a DDOS attack.

   --Make sure you have monitoring of your routers or firewalls in place
     so you'll get an early alert of a possible DOS attack. This will at
     least allow you to start working on the problem (and drafting
     press releases :-).
 
   --Talk to all of your up stream providers so you know how to contact and
     work with them if they are a source of a DOS attack against you. If your
     up stream provider isn't willing to work with you on this, start the
     process of getting a new up stream provider.

   --Look into the systems that are being developed and starting to become
     available that help automate the work to diagnose DDOS attacks.
     Encourage your up streams to do the same.

   --Make sure you have in place the filtering on your own networks that you
     wish everyone else had in place on their networks.  This won't protect
     you from being attacked, but it will prevent you and your users from
     attacking others (or at least using spoofed IP addresses to do so), and
     that in turn may prevent you from being the target of a retaliatory DOS
     attack. It can also prevent or limit the spread of a DOS attack that
     originates within your network or from someone down stream. From your
     customer's point of view there may not be much difference between
     you being the source of or the target of a DOS attack--either way
     performance is likely to be poor and customers are likely to be unhappy.

   -Jeff Ogden
    Merit





More information about the NANOG mailing list