DDos syn attack

Christopher L. Morrow chris at UU.NET
Mon Dec 30 15:30:43 UTC 2002

On 30 Dec 2002, Mike Hyde wrote:

> Just wondering how people have delt with DDOS syn attacks on port 80 of
> a customers server?  We had an attack a couple of days ago, and it

1) acl the traffic (Stop immediate pain)
2) blackhole ip in question
3) track via: http://www.secsup.org/Tracking/ to ingress points on your
4) acl traffic inbound there
5) remove blackhole and acl toward customer

Finish in ~10 mins... customer is back online and happy.

> overwelmed both the customers firewall and, when we tried to turn up
> filtering on a 7600 cisco router, the router also.  We ended up having
> the customer change his IP for the site under attack.  We were lucky in
> that the attack was against an IP and not the DNS name.
> --

This is also a very viable solution, provided the customer has provisioned
for this with lower ttls on their DNS records, which ALOT of people
(thankfully) don't do... also, sometimes customers don't know how to do
this, eh? :(

More information about the NANOG mailing list