Effective ways to deal with DDoS attacks?

• Previous message (by thread): Effective ways to deal with DDoS attacks?
• Next message (by thread): Effective ways to deal with DDoS attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 1 May 2002 measl at mfn.org wrote:

> and then again, there has been much discussion on simple
> DoS attacks, where the term DDoS is erroneously used...  
> I am very much not trying to imply that this is the case
> here, but it's important that the two be thoroughly
> distinguished from each other - they are totally
> different things to deal with.

Sorry, I should have been more clear. 

My issue (currently)  is not being the target of the DDoS
attack, but being a (unwilling) participant. People outside
our network are launching DDoS attacks (distributed SYN
floods) against destinations outside our network, using
about 8,000 Web server hosts on our network as reflectors.

These are not zombies. They are secured, uncompromised Web
servers. The attack spoofs the target address as the source,
and one of our machines as a destination, port 80. Getting
everyone to implement defenses (SYN cookies) on their Web
servers is nearly impossible (most don't even have a
defense--printers and routers with Web interfaces).

SYN packet comes in, one of these machines responses with a
RST to the "source", which is actually the target of the
attack. Unfortunately, the target is often a site that
people would like to get to, as is the reflector, so
permanent filters on the target or reflector create lots of
complaints.

> We captured several seconds of the last DDoS and came up
> with over 700 participating hosts...

Some of them probably appear to be from our network...

Pete.

• Previous message (by thread): Effective ways to deal with DDoS attacks?
• Next message (by thread): Effective ways to deal with DDoS attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]