Growing DoS attacks

Barb Dijker barb at
Thu Jan 17 21:34:07 UTC 2002

At 06:51 PM 1/16/02 -0500, Jared Mauch wrote:
>         Something that people may want to consider doing is
>that assuming you are using hardware/software that can support
>rate-limit of specific packet types/rates, you could
>generate some rate-limits to limit specific types of traffic
>to various ranges.

Most dDoS we see are udp floods with tiny packets, if not
all that have any noticeable effects.  In fact we haven't
seen a single one that wasn't packets <70bytes, so we monitor
average packet size as a DoS alert.

Rate limiting might work to prevent your dDoS participants
from hurting your neighbors, but maybe not even that.
1.5Mb of syn, icmp, or udp from your net and 100 others
will bring many folks down including me.  Rate limiting does
nothing to protect your own net from the outside.

For example, if I rate limit an external T3,
that does no good if the T3 is being soaked from the
other end, that T3 is effectively down.  What it takes to soak
an external T3 would be noise to the folks from whom I get the T3
(or they shouldn't be selling me a T3).  Usually, "soaked" is
with pps and the total bandwidth in use drops dramatically.
So rate limiting at so-called "tier 1" is maybe going to help
folks at tier 2 and 3, but not at tier 1, and likewise down
the line.

We can encourage customers to keep patched.
We can offer to security scan them.  We can firewall them
(we firewall all our dsl residential and most dsl biz customers).
But we can't make them completely secure and thus harmless.
We can only pull the plug once they get hacked and start


More information about the NANOG mailing list