|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Effective ways to deal with DDoS attacks?
On Wed, 1 May 2002, Richard A Steenbergen wrote:
> "DDoS attacks" is such a generic term. There are a wide
> variety of attacks which each need to be handled in
> their own way, the extra "D" is just one possible twist.
> Can you explain what kind of attack you're interested
> in?
We experience a lot of types of attacks ("education/research
network" = "easy hacker target"). With DDoS incidents, it
seems we are more often an unknowing/unwilling participant
than the target, partly due to owning big chunks of IP
address space.
We most frequently are the zombie/reflector participants in
an attack that originates outside our network, to a target
outside our network. As many as 8,000 hosts on our network
are reflecting SYN floods in the current attacks.
Identification doesn't seem to be a problem. Snort is doing
far too well notifying us. Responding and managing all of
the defenses is becoming a lot of pain-staking work, and
error-prone (why can't Cisco make ACLs easier to manage).
Our approach so far has been temporary blocks (via ACL) of
the target address. Blocking 8,000 internal addresses, many
legitimate (secured) Web servers, generates more complaints.
I'm thinking about a scripted Zebra feed where route
injections are triggered by Snort. Routes for the target
and/or SYN flood reflector hosts could be injected
temporarily during the attack to border routers, which would
route-map those routes to Null0. Script periodically
withdraws routes to see if the attack is over (some of these
last weeks, some only last a few seconds), to minimize the
impact on those otherwise legitimate hosts.
Has anyone tried this kind of an approach or any other type
of automated/efficient approach to dampen the "zombie" side
of the DDoS attack?
Pete.
|