On Wed, 1 May 2002, Pete Kruckenberg wrote:
There's been plenty of discussion about DDoS attacks, and my IDS system is darn good at identifying them. But what are effective methods for large service-provider networks (ie ones where a firewall at the front would not be possible) to deal with DDoS attacks?
I'm working on something that should provide a solution to this for at least some subset of all attacks. Basically, it works like this: when you identify the target of the attack, you have traffic for those target addresses rerouted to a "filter box". This filter box then contains source address based filters to get rid of the attacking traffic. The idea is that a service provider could install one or more of those filter boxes (standard routers or multilayer switches) and have customers use standard BGP mechanisms to get the filter boxes to clean up the traffic. This should work as long as the number of source addresses is relatively limited, say below 20,000. If anyone is interested in testing such a setup in a real network, contact me off-list. My goal is to evaluate how well this works and then write up an article for the benefit of the networking community. Iljitsch van Beijnum