Re: Effective ways to deal with DDoS attacks?

["Christopher L. Morrow" <chris () UU NET>]

On Thu, 2 May 2002, Iljitsch van Beijnum wrote:

> On Wed, 1 May 2002, Pete Kruckenberg wrote:
>
> > There's been plenty of discussion about DDoS attacks, and my
> > IDS system is darn good at identifying them. But what are
> > effective methods for large service-provider networks (ie
> > ones where a firewall at the front would not be possible) to
> > deal with DDoS attacks?
>
> I'm working on something that should provide a solution to this for at
> least some subset of all attacks.
>
> Basically, it works like this: when you identify the target of the attack,
> you have traffic for those target addresses rerouted to a "filter box".
> This filter box then contains source address based filters to get rid of
> the attacking traffic.
>
> The idea is that a service provider could install one or more of those
> filter boxes (standard routers or multilayer switches) and have customers
> use standard BGP mechanisms to get the filter boxes to clean up the
> traffic. This should work as long as the number of source addresses is
> relatively limited, say below 20,000.

Congrats on re-inventing the wheel :( This is what
mazuu/arbor/wanwall(riverhead now?) all do... this is also the way
CenterTrack(tm robert stone) was kind of supposed to work.

As near as I can tell this doesn't scale too well in a large network. This
is a shame, but its a reality. Additionally 20k sources max? that's not
nearly enough, how many addresses are in 0/0 ? you should atleast plan for
this contingency...