Effective ways to deal with DDoS attacks?
Richard A Steenbergen
ras at e-gerbil.net
Thu May 2 16:09:39 UTC 2002
On Thu, May 02, 2002 at 01:42:03AM -0700, Alexei Roudnev wrote:
>
> It's a common approach - NEVER refuse new requests for the resource, if
> there is not enougph resource, drop some of the old users of the
> resource... In a lot of cases, it will derevent deadlock because you
> will be dropping the users who exhausted resource more than _correct_
> users. It relay to the half connections, memory, etc etc...
>
> If case of _random_ IP addresses - ok, what's happen if you'll drop
> (always) FIRST packet from any new IP address? For the good SYN packet,
> you will receive a second request in a second; for a false one, you just
> filter out DDOS itself. This is not universal, but for the simple DDOS
> it will work.
It all depends on *what* is being DoS'd. The application? The TCP listen
queue? The number of interrupts/sec that box can handle? The pipe on that
box? The switch? The router? The providers router? The pipe between any of
the previous 3? Any of these are potentially valid targets.
Given a network which doesn't break, one can very easily expect a FreeBSD
-STABLE box on a p3 1GHz to survive at least 100kpps of SYN flood. Past
144kpps you clog FastE completely, and need to go to GigE. I've seen well
configured servers eatting 250kpps of SYN floods while still providing
uninterrupted service, which is probably more then your router will be
able to handle unless its a GSR or Juniper.
But if you are on a DS3, or even if you have an OC48 from a provider who
either doesn't want to or doesn't know how to protect their infrastructure
from attacks, all of that means absolutily NOTHING.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
More information about the NANOG
mailing list