Re: Mitigating HTTP DDoS attacks?

[Paul Vixie <vixie () isc org>]

mike.lyon () gmail com ("Mike Lyon") writes:

> So, i'm kind of new to this so please deal with my ignorance.

:-).  on the internet, everybody's new to everything since it's all
changing every day.  if anybody grumps at you for your ignorance, or
says "i can't type that into an IOS prompt" then the fault is theirs.

> But, what is common practice these days for HTTP DDoS mitigation during
> an attack? You can of course route every offending ip address to null0 at
> your border. But, if it's a botnet or trojan or something, It's coming
> from numerous different source IPs and Null0 routes can get very
> cumbersome. obviously. How do you folk usually deal with this?

i only use or recommend operating systems that have their own host based
firewalls.  soon that will mean pf (from openbsd but available on freebsd)
but right now that means ipfw.  ipfw has a "table" construct which uses a
data structure similar to the kernel's routing table.  with a little bit
of tuning, and using X86_64 to get more kernel memory map space than I386,
i've listed every member of 60K-node botnets in a table whose only use is
"if a SYN comes from here, silently drop it with no ICMP response".  with
more tuning work, a 200K-node botnet would pose no problem.  we populate
these tables with a perl script that watches the apache server's logfiles.
-- 
Paul Vixie