Advanced Countermeasures to prevent a Ddos
basil at cifnet.com
Fri Jul 20 05:22:13 UTC 2001
On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote:
> It all hinges on your upstream ISPs. The things to ask for are:
> - SYN and ICMP rate limiting: If you buy a T3 from your upstream, you
> should ask that they place on *their* peering routers and on the router
> facing you, Cisco rate limits of about 512kb/sec of ICMP and about
> 128kb/sec of SYNs. Pay extra if need be.
512Kbps for ICMP? I'd go for 128Kbps if not less.
TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip.
It will take just one or two modems to take you down, as an example
someone portscanning your network.
Ask for hot [potential] targets only: ircd, shell systems, router interfaces.
Do it per box, plus same rules for all of your router interfaces heading the
big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP
traffic during life attack.
Before placing something permanent you need to adjust and play with this.
> - anti-spoofing: require your upstream ISPs to implement full anti-spoofing
> for incoming packets. That includes RFC1918, unassigned IANA blocks and
> (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco
> ip verify unicast reverse-path)
Sounds good. check 'ip verify unicast source reachable-via any' as well
new uRPF works if you're multihomed too.
> - BGP community: Your upstream should allow you to announce a BGP community
> for any sub-prefix in your IP block (meaning he has to not be strict in the
> length of the prefix you announce to him since it can change dynamically)
> that will me ROUTENULL, which means they eat the packets for you.
Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;)
> Find 2 upstreams who will agree to the above 3 items and you are 99% safe
> from dDoS.
And I can still take you down with
1. tcp fin
2. tcp psh
3. tcp rst
4. tcp ack
5. tcp urg
6. tcp frags
8. ip frags
I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits
per your hot stuff and another ~10 for router interfaces. If you do manage to
get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids
can and most likely will find a hole to take you down, just takes time.
More information about the NANOG