handling ddos attacks
rara at navigo.com
Thu May 20 20:14:25 UTC 2004
The dearth of comprehensive BCP asserting the end-all-be-all for
DDoS is likely and largely due to the lack of an end-all-be-all
The range of variants, strains, chewy fillings and flavors of
fuxor out there beg different techniques for alleviation, so
prescribing a single poultice for blanket application does not
seem to be in wide practice outside marketing stratagem and
other blustering. The resources requiring protection and
receiving priority, as well as the trade-off in exacting
reactive measures, also have a say in how things are managed.
In general, however, yeah...identifying the source or target
is a must. Or a source port or destination port or protocol
type or packet size or point of ingress/egress...the list of
signature-worthy candidates is significant and also determines
how a DDoS is triaged.
The only thing that can be said for certain is that *some*
unifying factor must be discovered. :P Furthermore, how you do
that and what you do with that is a fluid thing, and further
refinement or definition of the type of DDoS you are seeking to
relieve may be required before you will be able to root out an
attack management template that is worth its salt.
Blackhole servers, sinkhole routers, IDS, extrusion detection,
heuristic baselining, and definitely bigger routers never hurt
this effort either. ;)
If you are able to elaborate on what you might be seeking to
accomplish on- or off-list, I will try to proffer any
appropriate resources I have available.
Rachael Treu-Gomes, CISSP rara at navigo.com
..quis costodiet ipsos custodes?..
On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent said something to the effect of:
> I've been trying to find out what the current BCP is for handling ddos
> attacks. Mostly what I find is material about how to be a good
> net.citizen (we already are), how to tune a kernel to better withstand
> a syn flood, router stuff you can do to protect hosts behind it, how
> to track the attack back to the source, how to determine the nature of
> the traffic, etc.
> But I don't care about most of that. I care that a gazillion
> pps are crushing our border routers (7206/npe-g1).
> Other than getting bigger routers, is it still the case that the best
> we can do is identify the target IP (with netflow, for example) and
> have upstreams blackhole it?
More information about the NANOG