|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Effective ways to deal with DDoS attacks?
On Thu, 2 May 2002, Hank Nussbacher wrote: > > At 01:49 AM 02-05-02 +0100, Avleen Vig wrote: > > >As time goes by, tools are being developed (in fact they're used now) that > >completely randomize the TCP or UDP ports attacked, or use a variety of > >icmp types in the attack. > >So cuurrently the only way you can 'block' such attacks is to block all > >packets for the offending protocol as far upstream as you possibly can, > >but this is not ideal. > > > >If you're being attacked by a SYN flood, you can ask try to rate-limit the > >flood at your border (possible on Cisco IOS 12.0 and higher, and probably > >other routers too?) > > ACLs have been a good tool for the past number of years to stop DOS attacks > but they suffer one very bad feature - they throw away the good packets > along with the bad packets. The same goes for CAR. The same goes for > taking a /32 and null routing it. Consider Amazon being hit with a DDOS > attack from random spoofed IPs to their web site. You can't block on > source IP since it is random. If you block on destination IP - you end up > taking Amazon off the network (the ultimate aim of the attacker) at a daily > revenue loss of over $1M. So, just filter and track quickly... move the block as far back as you can. Have the customer remain agile also. :)
|