Effective ways to deal with DDoS attacks?

• Previous message (by thread): Effective ways to deal with DDoS attacks?
• Next message (by thread): Effective ways to deal with DDoS attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 1 May 2002, Pete Kruckenberg wrote:

>
> On Wed, 1 May 2002, Richard A Steenbergen wrote:
>
> > "DDoS attacks" is such a generic term. There are a wide
> > variety of attacks which each need to be handled in
> > their own way, the extra "D" is just one possible twist.
> > Can you explain what kind of attack you're interested
> > in?
>
> We experience a lot of types of attacks ("education/research
> network"  = "easy hacker target"). With DDoS incidents, it
> seems we are more often an unknowing/unwilling participant
> than the target, partly due to owning big chunks of IP
> address space.
>
> We most frequently are the zombie/reflector participants in
> an attack that originates outside our network, to a target
> outside our network. As many as 8,000 hosts on our network
> are reflecting SYN floods in the current attacks.

Sounds like its time for a firewall on your network :)

>
> Identification doesn't seem to be a problem. Snort is doing
> far too well notifying us. Responding and managing all of
> the defenses is becoming a lot of pain-staking work, and
> error-prone (why can't Cisco make ACLs easier to manage).
>

they aren't tough to 'manage' they are sometimes tough to live with though
:(

> Our approach so far has been temporary blocks (via ACL) of
> the target address. Blocking 8,000 internal addresses, many
> legitimate (secured) Web servers, generates more complaints.
>
> I'm thinking about a scripted Zebra feed where route
> injections are triggered by Snort. Routes for the target
> and/or SYN flood reflector hosts could be injected
> temporarily during the attack to border routers, which would
> route-map those routes to Null0. Script periodically
> withdraws routes to see if the attack is over (some of these
> last weeks, some only last a few seconds), to minimize the
> impact on those otherwise legitimate hosts.
>

This is a nice idea, anything 'scripted' is prone to abuse though ;( all
of a sudden www.your.edu is dead.. on class registration day no less.

> Has anyone tried this kind of an approach or any other type
> of automated/efficient approach to dampen the "zombie" side
> of the DDoS attack?
>

• Previous message (by thread): Effective ways to deal with DDoS attacks?
• Next message (by thread): Effective ways to deal with DDoS attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]