North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Effective ways to deal with DDoS attacks?

  • From: measl
  • Date: Thu May 02 11:59:41 2002

On Thu, 2 May 2002, Christopher L. Morrow wrote:
> On Wed, 1 May 2002 [email protected] wrote:
> 
> 
> > True DDoS attacks, fortunately, are rarer than most people believe.  If they
> > were not, the Internet as we know it would look a lot more like a telephone
> > system in USSR-at-it's-worst-days.  For example, of the two recent DDoS's I
> > have been on the receiving end of, the first was generating a little over
> > 300mbit/sec (steady for a prolonged time), and the second went over that by a
> > fair bit.  In both cases, we had core equipment (M20's and BSN5000's) fall
> > over and die trying to "work" the events.  Additionally, our upstream peers
> 
> Your M20 tipped over?? What were you doing? We regularly stop large
> (+100Mb->800Mb) attacks with less horsepower than this. Truthfully, a
> cisco is even capable of filtering (done right) at +200kpps...

I'm sorry, I was not clear here...  The M20 does great at simply pushing this
load to discard, but the overhead of what we were trying to do (extensive
filter lists to try and begin backtracing the actual skr1pt k1dd13
origin) was too much.  There is simply no good way to get back to the
ultimate source of truly distributed DoS attacks, which is, IMHO, the reason
these attacks are so prevalent - no fear of prosecution, no matter how much
collateral damage is inflicted.

> > also had core equipment fall over, and we all came the [now obvious]
> > conclusion that the only way to stop these attacks was to completely null
> > route ourselves at our upstreams (they tried filter-fishing for specific data
> > which may have helped our investigation, but when their routers started
> > wheezing, we gave them the OK to just send us straight into the bit bucket
> > till it was over...
> >
> 
> Hmm, this highlights the need to learn how to use the equipment, learn its
> boundaries and learn defenses inside these boundaries...

In the larger picture, my concern is with finding the source, so I can
prevent recurrence - a paradoxical problem considering that the short term
goal is to just stop the attack...

> 
> -Chris
> 
> 

-- 
Yours, 
J.A. Terranson
[email protected]

If Governments really want us to behave like civilized human beings, they
should give serious consideration towards setting a better example:
Ruling by force, rather than consensus; the unrestrained application of
unjust laws (which the victim-populations were never allowed input on in
the first place); the State policy of justice only for the rich and 
elected; the intentional abuse and occassionally destruction of entire
populations merely to distract an already apathetic and numb electorate...
This type of demogoguery must surely wipe out the fascist United States
as surely as it wiped out the fascist Union of Soviet Socialist Republics.

The views expressed here are mine, and NOT those of my employers,
associates, or others.  Besides, if it *were* the opinion of all of
those people, I doubt there would be a problem to bitch about in the
first place...
--------------------------------------------------------------------