[NANOG-LIST] handling ddos attacks

• Previous message (by thread): handling ddos attacks
• Next message (by thread): handling ddos attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is there any quantification on what qualifies as a Large DDOS attack and 
perhaps a comparison of what type of routers can/can't handle such a 
load?  Typical DDOS's that I've seen are 10-20X the normal incoming packet 
rate, upto and over 1Mpps.  Having to switch that amount of additonal load 
has a tremendous impact on linecard CPU and any amount of additional 
features to try and protect your customer will sometimes result in a 
degradation to *everyone* not just the target.  In my experience calling 
the upstream provider and having it blocked is still the only thing that 
can be done.  When working on the backbone I've spent hours tracking the 
majority of flows back to one or more peering points and blocking it there 
where the attack isn't as concentrated and thus safer to filter.

-Brent




At 11:52 AM 5/20/2004, Mark Kent wrote:

>I've been trying to find out what the current BCP is for handling ddos
>attacks.  Mostly what I find is material about how to be a good
>net.citizen (we already are), how to tune a kernel to better withstand
>a syn flood, router stuff you can do to protect hosts behind it, how
>to track the attack back to the source, how to determine the nature of
>the traffic, etc.
>
>But I don't care about most of that.  I care that a gazillion
>pps are crushing our border routers (7206/npe-g1).
>
>Other than getting bigger routers, is it still the case that the best
>we can do is identify the target IP (with netflow, for example) and
>have upstreams blackhole it?
>
>Thanks,
>-mark

• Previous message (by thread): handling ddos attacks
• Next message (by thread): handling ddos attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]