North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Advanced Countermeasures to prevent a Ddos
On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote: > It all hinges on your upstream ISPs. The things to ask for are: > > - SYN and ICMP rate limiting: If you buy a T3 from your upstream, you > should ask that they place on *their* peering routers and on the router > facing you, Cisco rate limits of about 512kb/sec of ICMP and about > 128kb/sec of SYNs. Pay extra if need be. 512Kbps for ICMP? I'd go for 128Kbps if not less. TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip. It will take just one or two modems to take you down, as an example someone portscanning your network. Ask for hot [potential] targets only: ircd, shell systems, router interfaces. Do it per box, plus same rules for all of your router interfaces heading the big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP traffic during life attack. Before placing something permanent you need to adjust and play with this. > - anti-spoofing: require your upstream ISPs to implement full anti-spoofing > for incoming packets. That includes RFC1918, unassigned IANA blocks and > (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco > ip verify unicast reverse-path) Sounds good. check 'ip verify unicast source reachable-via any' as well http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf new uRPF works if you're multihomed too. > - BGP community: Your upstream should allow you to announce a BGP community > for any sub-prefix in your IP block (meaning he has to not be strict in the > length of the prefix you announce to him since it can change dynamically) > that will me ROUTENULL, which means they eat the packets for you. Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;) > Find 2 upstreams who will agree to the above 3 items and you are 99% safe > from dDoS. And I can still take you down with 1. tcp fin 2. tcp psh 3. tcp rst 4. tcp ack 5. tcp urg 6. tcp frags 7. udp 8. ip frags I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits per your hot stuff and another ~10 for router interfaces. If you do manage to get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids can and most likely will find a hole to take you down, just takes time. -Basil
|