Hi Mike, Depending upon the type of DDOS, there are five things you should do in order: 1. immediate response: set your host based security to mitigate the attack. E.g. mod_security for Apache web server, IPTables for host firewall. This will keep the hard drives from filling up, the cpu from smoking, etc. 2. second response: gateway router or border firewall. Filter that stuff out if you can. This will keep your internal network clean so it won't affect your other systems. One quickie *temporary* fix would be to block whole networks of DSL/Cable modems. There are lists out there specifically for this--always-on broadband home PCs are a often the compromised sources of attacks. 3. third response: contact your upstream providers and ask them to take action. They can apply filters, and apply pressure to their colos. 4. make sure you have done your part: secure your network so it cannot be used for DOS attacks by applying egress filtration etc. ( http://www.sans.org/dosstep/ ); secure your hosts against future DOS attacks using things like mod_security and mod_evasive for Apache, tcplimit for IPTables, or etc. One caveat: bandwidth flooding effects can be mitigated, but you can't really do anything about it other than contacting your upstream provider. Until your provider does something, the bottleneck here is your uplink. --Patrick Darden -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Mike Lyon Sent: Monday, March 24, 2008 6:02 PM To: NANOG Subject: Mitigating HTTP DDoS attacks? Howdy all, So, i'm kind of new to this so please deal with my ignorance. But, what is common practice these days for HTTP DDoS mitigation during an attack? You can of course route every offending ip address to null0 at your border. But, if it's a botnet or trojan or something, It's coming from numerous different source IPs and Null0 routes can get very cumbersome. obviously. How do you folk usually deal with this? Any input would be greatly appreciated. Cheers, Mike