nanog mailing list archives
Re: handling ddos attacks
From: "Matt Buford" <matt () overloaded net>
Date: Thu, 20 May 2004 15:12:24 -0400
On Thursday, May 20, 2004 2:52 PM, Mark Kent wrote:
I've been trying to find out what the current BCP is for handling ddos attacks. Mostly what I find is material about how to be a good net.citizen (we already are), how to tune a kernel to better withstand a syn flood, router stuff you can do to protect hosts behind it, how to track the attack back to the source, how to determine the nature of the traffic, etc.
This depends entirely on your definition of handling. To some people this means shutting down the victim to save the network as a whole. To others this means keeping everyone running smoothly, including the victim. The latter is preferred of course, but it is not for those who aren't willing to pay for it.
But I don't care about most of that. I care that a gazillion pps are crushing our border routers (7206/npe-g1). Other than getting bigger routers, is it still the case that the best we can do is identify the target IP (with netflow, for example) and have upstreams blackhole it?
It sounds like you're willing to blackhole the victim. In that case, yes, netflow is highly useful in finding out just who is getting attacked. Once you have that information, you can either manually contact your upstreams to have them null route the destination IP, or better yet, arrange ahead of time for a way to send properly tagged BGP announcements to them to blackhole /32s anytime you want. The alternative is to get bigger links, bigger routers, and protect the host. For bigger links and bigger routers, keep PPS in mind. Some attacks are large packets and large bandwidth, with low PPS. Other attacks are low bandwidth, but high PPS. I get hit pretty regularly with 500k-600k PPS of SYNs. While this only adds up to a few hundred megabits of traffic, that is a lot of PPS for many routers, firewalls, servers, or whatever else they might hit. Junipers, for example, have no problem with high PPS. Second, you have to figure out how to protect the host(s). We've gone with Riverhead (recently bought by Cisco) and they work quite well. I've seen attacks as high as around 650k PPS of spoofed SYNs, and the site running on a single (relatively weak) server remains up and generally unaffected by the attack.
Current thread:
- handling ddos attacks Mark Kent (May 20)
- Re: handling ddos attacks Wayne E. Bouchard (May 20)
- Re: handling ddos attacks Hank Nussbacher (May 20)
- Re: handling ddos attacks Jared Mauch (May 20)
- Re: handling ddos attacks Vincent Gillet - Opentransit (May 20)
- Re: handling ddos attacks Matt Buford (May 20)
- Re: handling ddos attacks Rachael Treu-Gomes (May 20)
- Re: [NANOG-LIST] handling ddos attacks Brent Van Dussen (May 20)
- Re: handling ddos attacks Steve Gibbard (May 20)
- Re: handling ddos attacks Danny McPherson (May 20)
- Re: handling ddos attacks Paul Vixie (May 20)
- Re: handling ddos attacks P.Schroebel (May 20)
- Re: handling ddos attacks Tim Wilde (May 20)
- Re: handling ddos attacks Danny McPherson (May 20)
- Re: handling ddos attacks Paul Vixie (May 20)
- Re: handling ddos attacks Scott Weeks (May 21)
- Re: handling ddos attacks P.Schroebel (May 20)
- Re: handling ddos attacks Wayne E. Bouchard (May 20)