Re: Effective ways to deal with DDoS attacks?

["Christopher L. Morrow" <chris () UU NET>]

On Wed, 1 May 2002, Wojtek Zlobicki wrote:
> Where are providers drawing the line ?  Anyone have somewhat detailed
> published policies as to what a provider can do in order to protect their
> nework as a whole.
> At what point (strength of the attack) does a customers netblock (assuming a
> /24 for
> example) get null routed by whichever party.

Most providers likely have a policy similar to: "I can't sacrafice 1
my network for 1 customer". So, if the attack is sufficient to degrade
service on the ISP network most likely the customer under attack will get
null routed.

> > Anyways, some providers already allow you to set a community on a route,
> > and they will inturn "blackhole" it for you.  I believe Teleglobe does
> > this for some customers and I know UUNet does this for all customers.
>
> When the attack is distributed, having one or two providers (even if they
> are UUNET
> or Teleglobe) is just not enough.  Must private routing policy be developed
> in order to make my suggestion work.  The reason that so many methods likely
> fail are the difficulty of implementation and low implementation.

Hmm, perhaps FIRST customers should insist that their ISP have some 24/7
security contact that can actually help in the case of an attack. Today
there are very few that have this capability. I'd say from personal
experience that the number is way too small, even in the 'large' ISP arena
:(

More pressure from customers for real security would be a good start.