North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Is there a line of defense against Distributed Reflective attacks?
On Thu, 16 Jan 2003, Brad Laue wrote: > Christopher L. Morrow wrote: > > On Thu, 16 Jan 2003, hc wrote: > > > > > >>> > >>> > >>>Because syn cookies are available on routing gear??? Either way syn > >>>cookies are not going to keep the device from sending a 'syn-ack' to the > >>>'originating host'. > >>> > >>> > >> > >>True.. At least it will have some stop in the amount of attacks. > >> > >>It is quite unfortunate that it is impossible to control the 'ingress' > >>point of attack flow. Whenever there is a DoS attack, the only way to > >>drop it is to null route it (the method you have devised) over BGP > >>peering, but that knocks the victim host off the 'net... :-( > >> > > > > > > Sure, but this like all other attacks of this sort can be tracked... and > > so the pain is over /quickly/ provided you can track it quickly :) Also, > > sometimes null routes are ok. > > How quickly is quickly? Often times as has been my recent experience > (part of my motivation for posting this thread) the flood is over before > one can get a human being on the phone. Once the call arrives and the problem is deduced it can be tracked in a matter of minutes, like 6-10 at the fastest... > > What kinds of mechanisms exist for keeping track of the origins of > something of this nature? > Normally that's not very productive as they are mostly owned boxes that will be rebuilt and reowned in days :(
|