handling ddos attacks

Rachael Treu-Gomes rara at navigo.com
Thu May 20 20:14:25 UTC 2004

The dearth of comprehensive BCP asserting the end-all-be-all for
DDoS is likely and largely due to the lack of an end-all-be-all 

The range of variants, strains, chewy fillings and flavors of 
fuxor out there beg different techniques for alleviation, so 
prescribing a single poultice for blanket application does not 
seem to be in wide practice outside marketing stratagem and 
other blustering.  The resources requiring protection and 
receiving priority, as well as the trade-off in exacting 
reactive measures, also have a say in how things are managed.

In general, however, yeah...identifying the source or target 
is a must.  Or a source port or destination port or protocol 
type or packet size or point of ingress/egress...the list of 
signature-worthy candidates is significant and also determines 
how a DDoS is triaged.  

The only thing that can be said for certain is that *some* 
unifying factor must be discovered.  :P  Furthermore, how you do 
that and what you do with that is a fluid thing, and further 
refinement or definition of the type of DDoS you are seeking to 
relieve may be required before you will be able to root out an 
attack management template that is worth its salt.

Blackhole servers, sinkhole routers, IDS, extrusion detection, 
heuristic baselining, and definitely bigger routers never hurt
this effort either.  ;)

If you are able to elaborate on what you might be seeking to
accomplish on- or off-list, I will try to proffer any 
appropriate resources I have available.

Good luck.


Rachael Treu-Gomes, CISSP       rara at navigo.com
..quis costodiet ipsos custodes?..

On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent said something to the effect of:
> I've been trying to find out what the current BCP is for handling ddos
> attacks.  Mostly what I find is material about how to be a good
> net.citizen (we already are), how to tune a kernel to better withstand
> a syn flood, router stuff you can do to protect hosts behind it, how
> to track the attack back to the source, how to determine the nature of
> the traffic, etc.
> But I don't care about most of that.  I care that a gazillion
> pps are crushing our border routers (7206/npe-g1).
> Other than getting bigger routers, is it still the case that the best
> we can do is identify the target IP (with netflow, for example) and
> have upstreams blackhole it?
> Thanks,
> -mark

More information about the NANOG mailing list