Sean, What you can do is enforce policy on your AS boundaries which: - rate limits ICMP - counts ICMP to detect floods, a monitoring script on your NMS can determine when the ICMP threshold has been exceeded and then determine the source and dest of the bulk of that ICMP traffic, then change your filters to discard ICMP to the host under attack while in parallel notify the NOC of the source or intermediary involved - For SYN floods - there may be no way to stop them but early warning can be achieved by counting both TCP SYN and total TCP and when the ratio of TCP SYN to TCP exceeds your threshold you can notify the NOC of the incoming intfc. When you understand the characteristics of the attacks or probes you are trying to stop, there are some powerful filtering and counting techniques which can be left in place at your edges and used in conjunction with monitoring scripts. Thanks Sean --- Sean Donelan <sean@donelan.com> wrote:
Ok, Yahoo, Ebay, Amazon and Microsoft have all made essentially the same statement after being hit by a DDOS: "taken steps to improve protection of their networks from this type of attack."
My question is What are these steps, and why can't people take them before they experience a DDOS?
Is there some magic command I can put into my router to help protect my network from a DDOS, or is this just PR fluff to make it look like the corporation is doing something. But in reality there is nothing you can do, but wait for the attacker to get bored and stop on their own.
__________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/