Re: DDos syn attack

["Christopher L. Morrow" <chris () UU NET>]

On 30 Dec 2002, Mike Hyde wrote:

> Just wondering how people have delt with DDOS syn attacks on port 80 of
> a customers server?  We had an attack a couple of days ago, and it

1) acl the traffic (Stop immediate pain)
2) blackhole ip in question
3) track via: http://www.secsup.org/Tracking/ to ingress points on your
network
4) acl traffic inbound there
5) remove blackhole and acl toward customer

Finish in ~10 mins... customer is back online and happy.

> overwelmed both the customers firewall and, when we tried to turn up
> filtering on a 7600 cisco router, the router also.  We ended up having
> the customer change his IP for the site under attack.  We were lucky in
> that the attack was against an IP and not the DNS name.
> --

This is also a very viable solution, provided the customer has provisioned
for this with lower ttls on their DNS records, which ALOT of people
(thankfully) don't do... also, sometimes customers don't know how to do
this, eh? :(