Effective ways to deal with DDoS attacks?

Thu May 2 09:03:14 UTC 2002

At 09:58 PM 01-05-02 -0400, Wojtek Zlobicki wrote:

The ultimate goal of the DDOS attack is to take a specific user/site 
down.  Blackholing is a way to help the attacker along.  If the user is a 
small site, we say "screw it" and do the null0 in order to save the ISP 
backbone links.  If the user is large (think eBay or any other major 
e-commerce site), you wouldn't easily blackhole them in order to save the 
rest of your network.  You would try to find a better solution.

Hank
Consultant
Riverhead Networks (formerly Wanwall Networks)
www.riverhead.com

> > Then you are pushing out /32's and peers would need to accept them.  Then
> > someone will want to blackhole /30's, /29's, etc.  Route bloat.  Yum!
>
>I am in no way proposing discounting current filtering rules.  There are
>alway two
>different intersts one must consider, one that of the customer and two that
>of the service provider.  If a large block must be filtered so be it.
>
>Where are providers drawing the line ?  Anyone have somewhat detailed
>published policies as to what a provider can do in order to protect their
>nework as a whole.
>At what point (strength of the attack) does a customers netblock (assuming a
>/24 for
>example) get null routed by whichever party.
>
> > Anyways, some providers already allow you to set a community on a route,
> > and they will inturn "blackhole" it for you.  I believe Teleglobe does
> > this for some customers and I know UUNet does this for all customers.
>
>When the attack is distributed, having one or two providers (even if they
>are UUNET
>or Teleglobe) is just not enough.  Must private routing policy be developed
>in order to make my suggestion work.  The reason that so many methods likely
>fail are the difficulty of implementation and low implementation.