North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: DDoS attacks
On Thu, 12 Jul 2001, David Harmelin wrote: > At 08:45 AM 7/12/01 -0700, Roeland Meyer wrote: > > >This is the main point, a script-kiddie hunt, with prosecution, is the ONLY > >real deterrent. Throw some of them in hotel greybar and remove them from > >computing, for life, and we may see some of this turn around. > > > >If a lady wears skimpy clothing, does she deserve to get raped? Obviously, > >not. If a computer has skimpy protection, does it deserve to be turned into > >a zombie? Simply because you forget to lock your car one night (whilst in > >your driveway), do you deserve to have it stolen? If you leave a $100 on > >your kitchen table, in your unlocked house, whilst you are working in your > >garage, do I have the right to sneak in the back door and take it while > >avoiding prosecution, on the grounds that you were careless? WRT EFFnet, > >does a prostitute deserve to be raped? > > > > By the way, for those who care, there are relatively easy ways to fight DoS attacks: > * use netflow and a bunch of scripts to detect them automatically > * use BGP to block them on all your border routers instantly, based on destination > * use BGP and Unicast RPF to block them on all your border routers instantly, based on source, if you really need to > > With a combination of all that, you can automatically block any major attack at your border. Sorry- but after doing all of that, DDoS attacks still saturate even the largest circuits- thus denying the service. > Is it scalable? Yes. Until the CPU overhead from netflow knocks out the router(s) from a mass-attack. > What about false alarms? We have implemented the detection bit. > With a bit of tuning, we get 0.1% of false alarms and yet catch an average of 15 attacks per day, above 500 pkts/s (up to 10000s pkts/s). > I wouldnt be surprised if Tier1 networks would catch much more attacks than that, with the same tool. > > > My point: block automatically 99% of the DoS attacks at the top 10 transit providers level, and we may see DoS attacks be a thing of the past. > "Kiddies only do it because they can". > > DH. > > ___________________________________________________________________ > * * David Harmelin Network Engineer > * * DANCERT Representative > * Francis House > * 112 Hills Road Tel +44 1223 302992 > * Cambridge CB2 1PQ Fax +44 1223 303005 > D A N T E United Kingdom WWW http://www.dante.net > ____________________________________________________________________ > > --- Brad Baker Director: Network Operations American ISP [email protected] +1 303 984 5700 x12 http://www.americanisp.net/ Fortune-- I will always love the false image I had of you.
|