handling ddos attacks

Paul Vixie vixie at vix.com
Fri May 21 01:48:52 UTC 2004

mark at noc.mainstreet.net (Mark Kent) writes:

> I've been trying to find out what the current BCP is for handling ddos
> attacks.  Mostly what I find is material about ...  But I don't care
> about most of that.  I care that a gazillion pps are crushing our border
> routers (7206/npe-g1).
> Other than getting bigger routers, is it still the case that the best
> we can do is identify the target IP (with netflow, for example) and
> have upstreams blackhole it?

that seems hardly worthwhile.  ddos is astonishingly easier to launch than
to defend against.  if you stop a flow the attacker *might* get bored and
decide to do something else, but they could also decide to attack you from
a different direction, or wait two days and do it all over again, and every
time they attack and you defend it's 10 minutes of their time and 10 hours
of yours.

far better to involve law enforcement and get some bad guys arrested, if
you possibly can.  this changes your costs from 10 hours to 15 hours but it
actually puts some chips on the table and makes the game worthwhile.
Paul Vixie

More information about the NANOG mailing list