handling ddos attacks
P.Schroebel
crossfire at smsonline.net
Fri May 21 02:04:58 UTC 2004
----- Original Message -----
From: "Paul Vixie" <vixie at vix.com>
To: <nanog at merit.edu>
Sent: Thursday, May 20, 2004 9:48 PM
Subject: Re: handling ddos attacks
>
> mark at noc.mainstreet.net (Mark Kent) writes:
>
> > I've been trying to find out what the current BCP is for handling ddos
> > attacks. Mostly what I find is material about ... But I don't care
> > about most of that. I care that a gazillion pps are crushing our border
> > routers (7206/npe-g1).
> >
> > Other than getting bigger routers, is it still the case that the best
> > we can do is identify the target IP (with netflow, for example) and
> > have upstreams blackhole it?
>
> that seems hardly worthwhile. ddos is astonishingly easier to launch than
> to defend against. if you stop a flow the attacker *might* get bored and
> decide to do something else, but they could also decide to attack you from
> a different direction, or wait two days and do it all over again, and
every
> time they attack and you defend it's 10 minutes of their time and 10 hours
> of yours.
>
> far better to involve law enforcement and get some bad guys arrested, if
> you possibly can. this changes your costs from 10 hours to 15 hours but
it
> actually puts some chips on the table and makes the game worthwhile.
> --
> Paul Vixie
Hey Paul !
Ok, I 'll buy that right now; we have a DDoS Attack on our core nameservers
from 66.165.10.24. Where do we start, do I call the police in Bellingham or
Washington State Police. We have blocked their ips but, we know they will
come in another way.
Peter
OrgName: Western Washington University
OrgID: WWU
Address: Computer Center
Address: 516 High Street
City: Bellingham
StateProv: WA
PostalCode: 98225
Country: US
NetRange: 66.165.0.0 - 66.165.31.255
CIDR: 66.165.0.0/19
NetName: WWU-RESIDENT-1
NetHandle: NET-66-165-0-0-2
Parent: NET-66-165-0-0-1
NetType: Reassigned
NameServer: VIKING.WWU.EDU
NameServer: HENSON.CC.WWU.EDU
Comment:
RegDate: 2002-08-15
Updated: 2002-08-15
TechHandle: JSW12-ARIN
TechName: Williams, J. Scott
TechPhone: +1-360-650-2868
TechEmail: scott at cc.wwu.edu
More information about the NANOG
mailing list