North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Effective ways to deal with DDoS attacks?

  • From: Richard A Steenbergen
  • Date: Thu May 02 12:25:24 2002

On Thu, May 02, 2002 at 08:54:05AM -0700, LeBlanc, Jason wrote:
> 
> uRPF and Radware DoShield, one DoShield per link btw edge router and core
> router.  Use IDS (yes there is a way to capture all your traffic and
> anaylyze it, regardless of bandwidth, no it isn't one box) to identify a
> signature, build a filter, config filter on DoShield, up to ~200Mb/s per
> DoShield of filtering with zero impact to legit traffic.  Scale horizontally
> (add more links each with a DoShield on it) based on your ingress traffic.
> 
> I've seen many suggestions on this list, this is the only thing that works
> for huge (100Mb/s+) attacks.  eBay is likely the biggest target on the net,
> this works for us 90% of the time.  Is the HW expensive?  Yes. (~$35k per
> DoShield I think)  It works, it scales.  

You might want to take a look at CloudShield (www.cloudshield.com), they 
have what can only be described as a pretty impressive looking box for 
this kind of stuff.

> There is no way a Cisco router can handle filtering attacks past a
> certain point, nor is it capable of even filtering on some patterns in
> attack packets.  Juniper is better, but still lacks some filtering
> capabilities. Your router is a router, not a packet filter, give up
> trying to make it do this until someone builds this into an ASIC on the
> router.

Thats what the IP2 does, match bytes in the headers and come back with a 
thumbs down or a thumbs up and a destination interface. It's really not 
that much harder to match the bytes for a dest port against a compiled 
ruleset and decide yes or no then it is to match the dest address against 
a forwarding table and decide which nexthop.

They CAN filter on anything in the headers, it's just a matter of
convincing them that the specific filter you want is something they should
add to their software language and microcode. I'm sure as a core router
vendor they must hear every feature request imaginable and not know which
ones to follow up on. If anyone from Juniper is listening, I can tell you
4 things to add which will stop all existing packet kiddie tools in their
tracks. But then again, I'd rather just have a language for bitmatching at
any offset. :)

-- 
Richard A Steenbergen <[email protected]>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)