North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Growing DoS attacks
At 06:51 PM 1/16/02 -0500, Jared Mauch wrote:
Something that people may want to consider doing is that assuming you are using hardware/software that can support rate-limit of specific packet types/rates, you could generate some rate-limits to limit specific types of traffic to various ranges.
Most dDoS we see are udp floods with tiny packets, if not all that have any noticeable effects. In fact we haven't seen a single one that wasn't packets <70bytes, so we monitor average packet size as a DoS alert. Rate limiting might work to prevent your dDoS participants from hurting your neighbors, but maybe not even that. 1.5Mb of syn, icmp, or udp from your net and 100 others will bring many folks down including me. Rate limiting does nothing to protect your own net from the outside. For example, if I rate limit an external T3, that does no good if the T3 is being soaked from the other end, that T3 is effectively down. What it takes to soak an external T3 would be noise to the folks from whom I get the T3 (or they shouldn't be selling me a T3). Usually, "soaked" is with pps and the total bandwidth in use drops dramatically. So rate limiting at so-called "tier 1" is maybe going to help folks at tier 2 and 3, but not at tier 1, and likewise down the line. We can encourage customers to keep patched. We can offer to security scan them. We can firewall them (we firewall all our dsl residential and most dsl biz customers). But we can't make them completely secure and thus harmless. We can only pull the plug once they get hacked and start spewing. ...Barb