North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Effective ways to deal with DDoS attacks?
On Wed, 1 May 2002, Pete Kruckenberg wrote: > > On Wed, 1 May 2002, Richard A Steenbergen wrote: > > > "DDoS attacks" is such a generic term. There are a wide > > variety of attacks which each need to be handled in > > their own way, the extra "D" is just one possible twist. > > Can you explain what kind of attack you're interested > > in? > > We experience a lot of types of attacks ("education/research > network" = "easy hacker target"). With DDoS incidents, it > seems we are more often an unknowing/unwilling participant > than the target, partly due to owning big chunks of IP > address space. > > We most frequently are the zombie/reflector participants in > an attack that originates outside our network, to a target > outside our network. As many as 8,000 hosts on our network > are reflecting SYN floods in the current attacks. Sounds like its time for a firewall on your network :) > > Identification doesn't seem to be a problem. Snort is doing > far too well notifying us. Responding and managing all of > the defenses is becoming a lot of pain-staking work, and > error-prone (why can't Cisco make ACLs easier to manage). > they aren't tough to 'manage' they are sometimes tough to live with though :( > Our approach so far has been temporary blocks (via ACL) of > the target address. Blocking 8,000 internal addresses, many > legitimate (secured) Web servers, generates more complaints. > > I'm thinking about a scripted Zebra feed where route > injections are triggered by Snort. Routes for the target > and/or SYN flood reflector hosts could be injected > temporarily during the attack to border routers, which would > route-map those routes to Null0. Script periodically > withdraws routes to see if the attack is over (some of these > last weeks, some only last a few seconds), to minimize the > impact on those otherwise legitimate hosts. > This is a nice idea, anything 'scripted' is prone to abuse though ;( all of a sudden www.your.edu is dead.. on class registration day no less. > Has anyone tried this kind of an approach or any other type > of automated/efficient approach to dampen the "zombie" side > of the DDoS attack? >
|