Effective ways to deal with DDoS attacks?
Christopher L. Morrow
chris at UU.NET
Thu May 2 04:33:13 UTC 2002
On Wed, 1 May 2002 measl at mfn.org wrote:
> True DDoS attacks, fortunately, are rarer than most people believe. If they
> were not, the Internet as we know it would look a lot more like a telephone
> system in USSR-at-it's-worst-days. For example, of the two recent DDoS's I
> have been on the receiving end of, the first was generating a little over
> 300mbit/sec (steady for a prolonged time), and the second went over that by a
> fair bit. In both cases, we had core equipment (M20's and BSN5000's) fall
> over and die trying to "work" the events. Additionally, our upstream peers
Your M20 tipped over?? What were you doing? We regularly stop large
(+100Mb->800Mb) attacks with less horsepower than this. Truthfully, a
cisco is even capable of filtering (done right) at +200kpps...
> also had core equipment fall over, and we all came the [now obvious]
> conclusion that the only way to stop these attacks was to completely null
> route ourselves at our upstreams (they tried filter-fishing for specific data
> which may have helped our investigation, but when their routers started
> wheezing, we gave them the OK to just send us straight into the bit bucket
> till it was over...
>
Hmm, this highlights the need to learn how to use the equipment, learn its
boundaries and learn defenses inside these boundaries...
-Chris
More information about the NANOG
mailing list