Security Basics mailing list archives
Re: mitigating ddos attacks
From: "tito.basa" <mochafrap () mix ph>
Date: Fri, 12 Nov 2004 15:44:02 +0800
Dan Duplito wrote:
hi, guys. my apologies for the cross-post and if this topic was already posted before in this list... i've been googling around for anti-ddos solutions/appliances and would just like to get inputs from gurus here who already have an idea or have implemented real-world anti-ddos systems in their own network.
this is not a solution but an incident-response one :)what i know for large ISPs is to use various tools to detect the attacked and also the attackers.
I used to work for a telco/isp and i've encountered DoS/DDoS so many times.I my case a baseline of normal network/system performance is stored using MRTG
and network monitoring tools when one client or a network link is found to be misbehaving, i'd scan forabnormal traffic, logs in firewalls/routers, or my favorite netflow (from cisco)
there i can get the source/destination address of the attack. once determined, i'd either null route filter with ACLS (after tracing back to my network edge) rate-limit in most cases, i'd contact my upstreams to block the source and traceback.Problem is not all my uplinks can respond to my call, so having the ability to
re-route traffic to a single link (if availale) through BGP and asking just one uplink to do trace/block it (some problem iis when addresses are spoofed) you need close coordination with your uplinks for this since filtering on your side won't help much as your links are now congested. rate-limiting andlogging can gather you evidence and a long list of address to track down later.
there is (used to be?) a clandestine mailing list of network operators on which i used to be
part of who acts on this stopping DDOS on a network level on procedures i described above. I'm no longer part of it though but they require a vouching process for members to make sure no bad apples are there.
the only one i saw was cisco riverhead but is too pricey for us and even useless if our uplinks have no idea what to do. What i did was to over-specs and re-designed my networki understand an anti-ddos appliance is not enough, but just the same, are these appliances worth it on their own (as opposed to load-balancing or scaling-out solutions)? what other technologies do i need to implement/know to mitigate such attacks?
after attacks. look at these for some idea: http://www.cymru.com/Documents/dos-and-vip.html http://www.cymru.com/Documents/tracking-spoofed.html ayos ba? :) tito
Current thread:
- mitigating ddos attacks Dan Duplito (Nov 05)
- Re: mitigating ddos attacks Kevin Willock (Nov 05)
- Re: mitigating ddos attacks tito.basa (Nov 12)
- Re: mitigating ddos attacks Kevin Willock (Nov 15)
- <Possible follow-ups>
- Re: mitigating ddos attacks Dan Duplito (Nov 08)