North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Effective ways to deal with DDoS attacks?
On Thu, May 02, 2002 at 08:54:05AM -0700, LeBlanc, Jason wrote: > > uRPF and Radware DoShield, one DoShield per link btw edge router and core > router. Use IDS (yes there is a way to capture all your traffic and > anaylyze it, regardless of bandwidth, no it isn't one box) to identify a > signature, build a filter, config filter on DoShield, up to ~200Mb/s per > DoShield of filtering with zero impact to legit traffic. Scale horizontally > (add more links each with a DoShield on it) based on your ingress traffic. > > I've seen many suggestions on this list, this is the only thing that works > for huge (100Mb/s+) attacks. eBay is likely the biggest target on the net, > this works for us 90% of the time. Is the HW expensive? Yes. (~$35k per > DoShield I think) It works, it scales. You might want to take a look at CloudShield (www.cloudshield.com), they have what can only be described as a pretty impressive looking box for this kind of stuff. > There is no way a Cisco router can handle filtering attacks past a > certain point, nor is it capable of even filtering on some patterns in > attack packets. Juniper is better, but still lacks some filtering > capabilities. Your router is a router, not a packet filter, give up > trying to make it do this until someone builds this into an ASIC on the > router. Thats what the IP2 does, match bytes in the headers and come back with a thumbs down or a thumbs up and a destination interface. It's really not that much harder to match the bytes for a dest port against a compiled ruleset and decide yes or no then it is to match the dest address against a forwarding table and decide which nexthop. They CAN filter on anything in the headers, it's just a matter of convincing them that the specific filter you want is something they should add to their software language and microcode. I'm sure as a core router vendor they must hear every feature request imaginable and not know which ones to follow up on. If anyone from Juniper is listening, I can tell you 4 things to add which will stop all existing packet kiddie tools in their tracks. But then again, I'd rather just have a language for bitmatching at any offset. :) -- Richard A Steenbergen <[email protected]> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
|