North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Effective ways to deal with DDoS attacks?

  • From: Hank Nussbacher
  • Date: Thu May 02 04:11:17 2002

At 01:49 AM 02-05-02 +0100, Avleen Vig wrote:

As time goes by, tools are being developed (in fact they're used now) that
completely randomize the TCP or UDP ports attacked, or use a variety of
icmp types in the attack.
So cuurrently the only way you can 'block' such attacks is to block all
packets for the offending protocol as far upstream as you possibly can,
but this is not ideal.

If you're being attacked by a SYN flood, you can ask try to rate-limit the
flood at your border (possible on Cisco IOS 12.0 and higher, and probably
other routers too?)
ACLs have been a good tool for the past number of years to stop DOS attacks but they suffer one very bad feature - they throw away the good packets along with the bad packets. The same goes for CAR. The same goes for taking a /32 and null routing it. Consider Amazon being hit with a DDOS attack from random spoofed IPs to their web site. You can't block on source IP since it is random. If you block on destination IP - you end up taking Amazon off the network (the ultimate aim of the attacker) at a daily revenue loss of over $1M.

Therefore, the solutions in the future will be mechanisms that can filter and sieve the bad packets out and let the good packets thru.

Disclosure: I consult to an anti-DDOS company with this philosophy.

Hank
Consultant
Riverhead Networks (formerly Wanwall Networks)
www.riverhead.com


If you're being smurfed, you can block ICMP Echo Reply's inbound to the
target IP.

It all depends on the TYPE of attack.

Having said that, it's only a matter of time before somebody releases a
tool that saturates a line by spooofing the source, randomizing the
protocol, and ports, and maybe even atacking other hosts on the same
subnet, etc etc.

The only thing you can try and do is work with your upstream provider and
try to trace the source of the attacks back, but that's incredibly
difficult.

As a side note, does anyone know the status of the ICMP Traceback
proposal? The ieft draft expired yesterday:
http://www.ietf.org/internet-drafts/draft-ietf-itrace-01.txt