On Thu, 2 May 2002, Iljitsch van Beijnum wrote:
On Wed, 1 May 2002, Pete Kruckenberg wrote:
There's been plenty of discussion about DDoS attacks, and my IDS system is darn good at identifying them. But what are effective methods for large service-provider networks (ie ones where a firewall at the front would not be possible) to deal with DDoS attacks?
I'm working on something that should provide a solution to this for at least some subset of all attacks.
Basically, it works like this: when you identify the target of the attack, you have traffic for those target addresses rerouted to a "filter box". This filter box then contains source address based filters to get rid of the attacking traffic.
The idea is that a service provider could install one or more of those filter boxes (standard routers or multilayer switches) and have customers use standard BGP mechanisms to get the filter boxes to clean up the traffic. This should work as long as the number of source addresses is relatively limited, say below 20,000.
Congrats on re-inventing the wheel :( This is what mazuu/arbor/wanwall(riverhead now?) all do... this is also the way CenterTrack(tm robert stone) was kind of supposed to work. As near as I can tell this doesn't scale too well in a large network. This is a shame, but its a reality. Additionally 20k sources max? that's not nearly enough, how many addresses are in 0/0 ? you should atleast plan for this contingency...