North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Advanced Countermeasures to prevent a Ddos
- From: Hank Nussbacher
- Date: Fri Jul 20 01:32:01 2001
At 00:22 20/07/01 -0500, Basil Kruglov wrote:
On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote:
> It all hinges on your upstream ISPs. The things to ask for are:
>
> - SYN and ICMP rate limiting: If you buy a T3 from your upstream, you
> should ask that they place on *their* peering routers and on the router
> facing you, Cisco rate limits of about 512kb/sec of ICMP and about
> 128kb/sec of SYNs. Pay extra if need be.
512Kbps for ICMP? I'd go for 128Kbps if not less.
YMMV. It all depends on how big a pipe you use. The numbers are examples
and each site would have to determine what number works best for them.
TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip.
It will take just one or two modems to take you down, as an example
someone portscanning your network.
Ask for hot [potential] targets only: ircd, shell systems, router interfaces.
Do it per box, plus same rules for all of your router interfaces heading the
big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP
traffic during life attack.
Before placing something permanent you need to adjust and play with this.
> - anti-spoofing: require your upstream ISPs to implement full
anti-spoofing
> for incoming packets. That includes RFC1918, unassigned IANA blocks and
> (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco
> ip verify unicast reverse-path)
Sounds good. check 'ip verify unicast source reachable-via any' as well
http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf
new uRPF works if you're multihomed too.
> - BGP community: Your upstream should allow you to announce a BGP
community
> for any sub-prefix in your IP block (meaning he has to not be strict in
the
> length of the prefix you announce to him since it can change dynamically)
> that will me ROUTENULL, which means they eat the packets for you.
Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;)
> Find 2 upstreams who will agree to the above 3 items and you are 99% safe
> from dDoS.
And I can still take you down with
1. tcp fin
2. tcp psh
3. tcp rst
4. tcp ack
5. tcp urg
6. tcp frags
7. udp
8. ip frags
I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits
per your hot stuff and another ~10 for router interfaces. If you do manage to
get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids
I would be happy with even 90%. Life is never 100% - just a continuing
stream of compromises.
-Hank
can and most likely will find a hole to take you down, just takes time.
-Basil
|