nanog mailing list archives
Re: handling ddos attacks
From: "P.Schroebel" <crossfire () smsonline net>
Date: Thu, 20 May 2004 22:04:58 -0400
----- Original Message ----- From: "Paul Vixie" <vixie () vix com> To: <nanog () merit edu> Sent: Thursday, May 20, 2004 9:48 PM Subject: Re: handling ddos attacks
mark () noc mainstreet net (Mark Kent) writes:I've been trying to find out what the current BCP is for handling ddos attacks. Mostly what I find is material about ... But I don't care about most of that. I care that a gazillion pps are crushing our border routers (7206/npe-g1). Other than getting bigger routers, is it still the case that the best we can do is identify the target IP (with netflow, for example) and have upstreams blackhole it?that seems hardly worthwhile. ddos is astonishingly easier to launch than to defend against. if you stop a flow the attacker *might* get bored and decide to do something else, but they could also decide to attack you from a different direction, or wait two days and do it all over again, and
every
time they attack and you defend it's 10 minutes of their time and 10 hours of yours. far better to involve law enforcement and get some bad guys arrested, if you possibly can. this changes your costs from 10 hours to 15 hours but
it
actually puts some chips on the table and makes the game worthwhile. -- Paul Vixie
Hey Paul ! Ok, I 'll buy that right now; we have a DDoS Attack on our core nameservers from 66.165.10.24. Where do we start, do I call the police in Bellingham or Washington State Police. We have blocked their ips but, we know they will come in another way. Peter OrgName: Western Washington University OrgID: WWU Address: Computer Center Address: 516 High Street City: Bellingham StateProv: WA PostalCode: 98225 Country: US NetRange: 66.165.0.0 - 66.165.31.255 CIDR: 66.165.0.0/19 NetName: WWU-RESIDENT-1 NetHandle: NET-66-165-0-0-2 Parent: NET-66-165-0-0-1 NetType: Reassigned NameServer: VIKING.WWU.EDU NameServer: HENSON.CC.WWU.EDU Comment: RegDate: 2002-08-15 Updated: 2002-08-15 TechHandle: JSW12-ARIN TechName: Williams, J. Scott TechPhone: +1-360-650-2868 TechEmail: scott () cc wwu edu
Current thread:
- Re: handling ddos attacks, (continued)
- Re: handling ddos attacks Wayne E. Bouchard (May 20)
- Re: handling ddos attacks Hank Nussbacher (May 20)
- Re: handling ddos attacks Jared Mauch (May 20)
- Re: handling ddos attacks Vincent Gillet - Opentransit (May 20)
- Re: handling ddos attacks Matt Buford (May 20)
- Re: handling ddos attacks Rachael Treu-Gomes (May 20)
- Re: [NANOG-LIST] handling ddos attacks Brent Van Dussen (May 20)
- Re: handling ddos attacks Steve Gibbard (May 20)
- Re: handling ddos attacks Danny McPherson (May 20)
- Re: handling ddos attacks Paul Vixie (May 20)
- Re: handling ddos attacks P.Schroebel (May 20)
- Re: handling ddos attacks Tim Wilde (May 20)
- Re: handling ddos attacks Danny McPherson (May 20)
- Re: handling ddos attacks Paul Vixie (May 20)
- Re: handling ddos attacks Scott Weeks (May 21)
- Re: handling ddos attacks Richard Cox (May 21)
- Re: handling ddos attacks Valdis . Kletnieks (May 21)
- Re: handling ddos attacks P.Schroebel (May 20)
- Re: handling ddos attacks Wayne E. Bouchard (May 20)