On Wed, May 01, 2002 at 08:56:16PM -0600, Pete Kruckenberg wrote:
Sorry, I should have been more clear.
My issue (currently) is not being the target of the DDoS attack, but being a (unwilling) participant. People outside our network are launching DDoS attacks (distributed SYN floods) against destinations outside our network, using about 8,000 Web server hosts on our network as reflectors.
Neat, and totally not what people expect when you say "victim of a DDoS attack".
These are not zombies. They are secured, uncompromised Web servers. The attack spoofs the target address as the source, and one of our machines as a destination, port 80. Getting everyone to implement defenses (SYN cookies) on their Web servers is nearly impossible (most don't even have a defense--printers and routers with Web interfaces).
Thats not a defense anyways, SYN cookies still send replies (which is what the attacker wants), they just don't store state information (which is probably not an issue anyways, unless their stack is REALLY bad or old it's probably not going to care that much).
SYN packet comes in, one of these machines responses with a RST to the "source", which is actually the target of the attack. Unfortunately, the target is often a site that people would like to get to, as is the reflector, so permanent filters on the target or reflector create lots of complaints.
You have an interesting situation. I think rate limiting outbound RSTs would be the least offensive thing you could do, off the top of my head. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)