On Wed, 1 May 2002, Pete Kruckenberg wrote:
There's been plenty of discussion about DDoS attacks,
and then again, there has been much discussion on simple DoS attacks, where the term DDoS is erroneously used... I am very much not trying to imply that this is the case here, but it's important that the two be thoroughly distinguished from each other - they are totally different things to deal with.
and my IDS system is darn good at identifying them.
Chances are your IDS is detecting simple DoS, or maybe tiny scale DDoS. Full DDoS attacks do not require and IDS to detect ;-) In fact, if your IDS doesn't tip over under the load of a full blown DDoS, I'd sure like to know what it's using for an engine...
But what are effective methods for large service-provider networks (ie ones where a firewall at the front would not be possible) to deal with DDoS attacks?
True DDoS attacks, fortunately, are rarer than most people believe. If they were not, the Internet as we know it would look a lot more like a telephone system in USSR-at-it's-worst-days. For example, of the two recent DDoS's I have been on the receiving end of, the first was generating a little over 300mbit/sec (steady for a prolonged time), and the second went over that by a fair bit. In both cases, we had core equipment (M20's and BSN5000's) fall over and die trying to "work" the events. Additionally, our upstream peers also had core equipment fall over, and we all came the [now obvious] conclusion that the only way to stop these attacks was to completely null route ourselves at our upstreams (they tried filter-fishing for specific data which may have helped our investigation, but when their routers started wheezing, we gave them the OK to just send us straight into the bit bucket till it was over...
Current method of updating ACLs with the source and/or destination are slow and error-prone and hard to maintain (especially when the target of the attack is a site that users would like to access).
We captured several seconds of the last DDoS and came up with over 700 participating hosts...
A rather extensive survey of DDoS papers has not resulted in much on this topic.
What processes and/or tools are large networks using to identify and limit the impact of DDoS attacks?
A great deal of thought is being expended on this question, I am certain, however, how many of these thought campaings have born significant fruit yet, I do not know.
Thanks. Pete.
-- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------