Proactive steps to prevent DDOS?

Sean Capshaw scapshaw at yahoo.com
Mon Jan 29 16:16:27 UTC 2001


Sean,

What you can do is enforce policy on your AS
boundaries which:

- rate limits ICMP
- counts ICMP to detect floods, a monitoring script on
your NMS can determine when the ICMP threshold has
been exceeded and then determine the source and dest
of the bulk of that ICMP traffic, then change your
filters to discard ICMP to the host under attack while
in parallel notify the NOC of the source or
intermediary involved
- For SYN floods - there may be no way to stop them
but early warning can be achieved by counting both TCP
SYN and total TCP and when the ratio of TCP SYN to TCP
exceeds your threshold you can notify the NOC of the
incoming intfc.

When you understand the characteristics of the attacks
or probes you are trying to stop, there are some
powerful filtering and counting techniques which can
be left in place at your edges and used in conjunction
with monitoring scripts.

Thanks
Sean
--- Sean Donelan <sean at donelan.com> wrote:
> 
> Ok, Yahoo, Ebay, Amazon and Microsoft have all made
> essentially the
> same statement after being hit by a DDOS:  "taken
> steps to
> improve protection of their networks from this type
> of attack."
> 
> My question is What are these steps, and why can't
> people take them
> before they experience a DDOS?
> 
> Is there some magic command I can put into my router
> to help protect
> my network from a DDOS, or is this just PR fluff to
> make it look like
> the corporation is doing something.  But in reality
> there is nothing
> you can do, but wait for the attacker to get bored
> and stop on their
> own.
> 
> 
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices. 
http://auctions.yahoo.com/




More information about the NANOG mailing list