Advanced Countermeasures to prevent a Ddos

Basil Kruglov basil at
Fri Jul 20 05:22:13 UTC 2001

On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote:
> It all hinges on your upstream ISPs.  The things to ask for are:
> - SYN and ICMP rate limiting:  If you buy a T3 from your upstream, you 
> should ask that they place on *their* peering routers and on the router 
> facing you, Cisco rate limits of about 512kb/sec of ICMP and about 
> 128kb/sec of SYNs.  Pay extra if need be.

512Kbps for ICMP? I'd go for 128Kbps if not less.

TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip.
It will take just one or two modems to take you down, as an example 
someone portscanning your network.

Ask for hot [potential] targets only: ircd, shell systems, router interfaces.
Do it per box, plus same rules for all of your router interfaces heading the
big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP
traffic during life attack.

Before placing something permanent you need to adjust and play with this.

> - anti-spoofing: require your upstream ISPs to implement full anti-spoofing 
> for incoming packets.  That includes RFC1918, unassigned IANA blocks and 
> (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco 
> ip verify unicast reverse-path)

Sounds good. check 'ip verify unicast source reachable-via any' as well
new uRPF works if you're multihomed too.

> - BGP community: Your upstream should allow you to announce a BGP community 
> for any sub-prefix in your IP block (meaning he has to not be strict in the 
> length of the prefix you announce to him since it can change dynamically) 
> that will me ROUTENULL, which means they eat the packets for you.

Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;)

> Find 2 upstreams who will agree to the above 3 items and you are 99% safe 
> from dDoS.

And I can still take you down with

1. tcp fin
2. tcp psh
3. tcp rst
4. tcp ack
5. tcp urg
6. tcp frags
7. udp
8. ip frags

I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits
per your hot stuff and another ~10 for router interfaces. If you do manage to
get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids
can and most likely will find a hole to take you down, just takes time.


More information about the NANOG mailing list