North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Advanced Countermeasures to prevent a Ddos

  • From: Basil Kruglov
  • Date: Fri Jul 20 01:20:55 2001

On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote:
> It all hinges on your upstream ISPs.  The things to ask for are:
> 
> - SYN and ICMP rate limiting:  If you buy a T3 from your upstream, you 
> should ask that they place on *their* peering routers and on the router 
> facing you, Cisco rate limits of about 512kb/sec of ICMP and about 
> 128kb/sec of SYNs.  Pay extra if need be.

512Kbps for ICMP? I'd go for 128Kbps if not less.

TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip.
It will take just one or two modems to take you down, as an example 
someone portscanning your network.

Ask for hot [potential] targets only: ircd, shell systems, router interfaces.
Do it per box, plus same rules for all of your router interfaces heading the
big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP
traffic during life attack.

Before placing something permanent you need to adjust and play with this.

> - anti-spoofing: require your upstream ISPs to implement full anti-spoofing 
> for incoming packets.  That includes RFC1918, unassigned IANA blocks and 
> (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco 
> ip verify unicast reverse-path)

Sounds good. check 'ip verify unicast source reachable-via any' as well
http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf
new uRPF works if you're multihomed too.

> - BGP community: Your upstream should allow you to announce a BGP community 
> for any sub-prefix in your IP block (meaning he has to not be strict in the 
> length of the prefix you announce to him since it can change dynamically) 
> that will me ROUTENULL, which means they eat the packets for you.

Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;)

> Find 2 upstreams who will agree to the above 3 items and you are 99% safe 
> from dDoS.

And I can still take you down with

1. tcp fin
2. tcp psh
3. tcp rst
4. tcp ack
5. tcp urg
6. tcp frags
7. udp
8. ip frags

I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits
per your hot stuff and another ~10 for router interfaces. If you do manage to
get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids
can and most likely will find a hole to take you down, just takes time.

-Basil