North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Effective ways to deal with DDoS attacks?

  • From: Pete Kruckenberg
  • Date: Thu May 02 01:31:45 2002

On Thu, 2 May 2002, Christopher L. Morrow wrote:

> Funny, you say 'secured' here...
>
> > These are not zombies. They are secured, uncompromised Web
> > servers. The attack spoofs the target address as the source,
[snip]
> and here you say: "printers and routers" Since when did
> they need to be accessible off campus? Additionally, why
> does a router need a web interface?? Printers are on the
> cusp, but they certainly don't need to be accesible from
> out of your LAN.

More clarification needed. We are not a campus network. We
are a state-wide research/education network, as in we are
the service provider to the various K-12 and higher-ed
institutions in the state (there is a network, not a
purchasing cooperative like many other state "networks").  

We are large in the sense that there are some 1,000 end
sites (each comparable in size to a mid- to large-size
enterprise) and a network that looks like many national
networks, but condensed into a single state. We tend to 
design and operate our network, and experience problems 
similar to a national-scale network.

Like almost every other service provider, we do not have the
luxury of simply putting a firewall at the border of our
network, since we do not have the ability to enforce
security policies any more than other service providers do.  
We also have the ability to suggest security policy and
block hosts or networks that interfere with network
operations, but it's not our business whether someone uses a
Web interface to their printer or router any more than it's
UUNet's business.

We do have a fairly aggressive security group that
identifies compromised machines and assists customers in
properly securing them. We can be fairly certain that the
way these hosts are responding to this DoS attack is not as
a result of being compromised, but a "normal" IP stack
implementation.

As such, though we are a state education service provider,
it seems that these kinds of attacks are most likely
pervasive on all networks, and probably are going on all the
time. One advantage we have is a close relationship with our
customers, which allows us to use tools such as IDS and
Netflow in conjunction with information about the customer
implementation to identify what is a bonafide attack.

Pete.