Advanced Countermeasures to prevent a Ddos

Hank Nussbacher hank at
Fri Jul 20 06:27:25 UTC 2001

At 00:22 20/07/01 -0500, Basil Kruglov wrote:

>On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote:
> > It all hinges on your upstream ISPs.  The things to ask for are:
> >
> > - SYN and ICMP rate limiting:  If you buy a T3 from your upstream, you
> > should ask that they place on *their* peering routers and on the router
> > facing you, Cisco rate limits of about 512kb/sec of ICMP and about
> > 128kb/sec of SYNs.  Pay extra if need be.
>512Kbps for ICMP? I'd go for 128Kbps if not less.

YMMV.  It all depends on how big a pipe you use.  The numbers are examples 
and each site would have to determine what number works best for them.

>TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip.
>It will take just one or two modems to take you down, as an example
>someone portscanning your network.
>Ask for hot [potential] targets only: ircd, shell systems, router interfaces.
>Do it per box, plus same rules for all of your router interfaces heading the
>big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP
>traffic during life attack.
>Before placing something permanent you need to adjust and play with this.
> > - anti-spoofing: require your upstream ISPs to implement full 
> anti-spoofing
> > for incoming packets.  That includes RFC1918, unassigned IANA blocks and
> > (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco
> > ip verify unicast reverse-path)
>Sounds good. check 'ip verify unicast source reachable-via any' as well
>new uRPF works if you're multihomed too.
> > - BGP community: Your upstream should allow you to announce a BGP 
> community
> > for any sub-prefix in your IP block (meaning he has to not be strict in 
> the
> > length of the prefix you announce to him since it can change dynamically)
> > that will me ROUTENULL, which means they eat the packets for you.
>Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;)
> > Find 2 upstreams who will agree to the above 3 items and you are 99% safe
> > from dDoS.
>And I can still take you down with
>1. tcp fin
>2. tcp psh
>3. tcp rst
>4. tcp ack
>5. tcp urg
>6. tcp frags
>7. udp
>8. ip frags
>I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits
>per your hot stuff and another ~10 for router interfaces. If you do manage to
>get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids

I would be happy with even 90%.  Life is never 100% - just a continuing 
stream of compromises.


>can and most likely will find a hole to take you down, just takes time.

More information about the NANOG mailing list