Effective ways to deal with DDoS attacks?

• Previous message (by thread): Effective ways to deal with DDoS attacks?
• Next message (by thread): Effective ways to deal with DDoS attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, May 01, 2002 at 05:18:24PM -0600, pete at kruckenberg.com said:
[snip]
> A rather extensive survey of DDoS papers has not resulted in
> much on this topic.
> 
> What processes and/or tools are large networks using to
> identify and limit the impact of DDoS attacks?

It seems to me that the real issue in defending against an attack of this
type of differentiating between legitimate traffic and zombie traffic. This
seems to be self-evident, but on a distributed scale, how _would_ one tell
the difference between a host/netblock that's making a lot of requests to a
busy site (amazon.com, say) and a host/netblock that's sending a lot of
zombie requests, especially when both sets of requests are bound for the same
ports (80/443 in this case) on the same IP/set of IPs? The more D the DoS,
the more difficult it becomes to tell what's legit and what's not.

(Stating the obvious again, I know, but it helps me think. :) )

-- 
Scott Francis                   darkuncle@ [home:] d a r k u n c l e . n e t
Systems/Network Manager          sfrancis@ [work:]         t o n o s . c o m
GPG public key 0xCB33CCA7              illum oportet crescere me autem minui
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 872 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20020502/33d49b7a/attachment.sig>

• Previous message (by thread): Effective ways to deal with DDoS attacks?
• Next message (by thread): Effective ways to deal with DDoS attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]