Effective ways to deal with DDoS attacks?
Avleen Vig
lists-nanog at silverwraith.com
Thu May 2 00:49:40 UTC 2002
On Wed, 1 May 2002, Pete Kruckenberg wrote:
> A rather extensive survey of DDoS papers has not resulted in
> much on this topic.
>
> What processes and/or tools are large networks using to
> identify and limit the impact of DDoS attacks?
Hazaa.. something I know a little about.
DDoS attacks by their very nature, are distributed.
The primary purpose of more DDoS attacks is to flood the target's upstream
connection to the point of saturation.
As time goes by, tools are being developed (in fact they're used now) that
completely randomize the TCP or UDP ports attacked, or use a variety of
icmp types in the attack.
So cuurrently the only way you can 'block' such attacks is to block all
packets for the offending protocol as far upstream as you possibly can,
but this is not ideal.
If you're being attacked by a SYN flood, you can ask try to rate-limit the
flood at your border (possible on Cisco IOS 12.0 and higher, and probably
other routers too?)
If you're being smurfed, you can block ICMP Echo Reply's inbound to the
target IP.
It all depends on the TYPE of attack.
Having said that, it's only a matter of time before somebody releases a
tool that saturates a line by spooofing the source, randomizing the
protocol, and ports, and maybe even atacking other hosts on the same
subnet, etc etc.
The only thing you can try and do is work with your upstream provider and
try to trace the source of the attacks back, but that's incredibly
difficult.
As a side note, does anyone know the status of the ICMP Traceback
proposal? The ieft draft expired yesterday:
http://www.ietf.org/internet-drafts/draft-ietf-itrace-01.txt
More information about the NANOG
mailing list