Mitigating HTTP DDoS attacks?

• Previous message (by thread): Mitigating HTTP DDoS attacks?
• Next message (by thread): End of life: 'sh ip bgp' collection on route-views.routeviews.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Mike,

Depending upon the type of DDOS, there are five things you should do in order:

1.  immediate response: set your host based security to mitigate the attack.  E.g. mod_security for Apache web server, IPTables for host firewall.  This will keep the hard drives from filling up, the cpu from smoking, etc.
2.  second response: gateway router or border firewall.  Filter that stuff out if you can.  This will keep your internal network clean so it won't affect your other systems.  One quickie *temporary* fix would be to block whole networks of DSL/Cable modems.  There are lists out there specifically for this--always-on broadband home PCs are a often the compromised sources of attacks.  
3.  third response: contact your upstream providers and ask them to take action.  They can apply filters, and apply pressure to their colos.
4.  make sure you have done your part: secure your network so it cannot be used for DOS attacks by applying egress filtration etc. ( http://www.sans.org/dosstep/ ); secure your hosts against future DOS attacks using things like mod_security and mod_evasive for Apache, tcplimit for IPTables, or etc.

One caveat: bandwidth flooding effects can be mitigated, but you can't really do anything about it other than contacting your upstream provider.  Until your provider does something, the bottleneck here is your uplink.

--Patrick Darden



-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
Mike Lyon
Sent: Monday, March 24, 2008 6:02 PM
To: NANOG
Subject: Mitigating HTTP DDoS attacks?



Howdy all,

So, i'm kind of new to this so please deal with my ignorance. But,
what is common practice these days for HTTP DDoS mitigation during an
attack? You can of course route every offending ip address to null0 at
your border. But, if it's a botnet or trojan or something, It's coming
from numerous different source IPs and Null0 routes can get very
cumbersome. obviously. How do you folk usually deal with this?

Any input would be greatly appreciated.

Cheers,
Mike

• Previous message (by thread): Mitigating HTTP DDoS attacks?
• Next message (by thread): End of life: 'sh ip bgp' collection on route-views.routeviews.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]