handling ddos attacks

• Previous message (by thread): handling ddos attacks
• Next message (by thread): handling ddos attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent wrote:
> 
> I've been trying to find out what the current BCP is for handling ddos
> attacks.  Mostly what I find is material about how to be a good
> net.citizen (we already are), how to tune a kernel to better withstand
> a syn flood, router stuff you can do to protect hosts behind it, how
> to track the attack back to the source, how to determine the nature of
> the traffic, etc.
> 
> But I don't care about most of that.  I care that a gazillion
> pps are crushing our border routers (7206/npe-g1).
> 
> Other than getting bigger routers, is it still the case that the best
> we can do is identify the target IP (with netflow, for example) and
> have upstreams blackhole it?

	or acl it.

	some providers offer blackhole services where you can inject
a route to them via bgp over the same session (with communities) or
over a different session that just takes blackhole routes..

	that can be used by you to cause them to null0/discard the
traffic within their network automatically..

	with junipers being used commonly these days, and their
ability to write long, complex firewall filters, I think you're seeing
more people do fancier things..  I've placed filters for at least
one customer (for the duration of a DoS) that match on specific
packet sizes or packet ranges of a specific type.

	The more you know about the profile of the attack you
have going on, the better others can help you mitigate it..

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

• Previous message (by thread): handling ddos attacks
• Next message (by thread): handling ddos attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]