On Thu, 2 May 2002, Hank Nussbacher wrote:
At 01:49 AM 02-05-02 +0100, Avleen Vig wrote:
As time goes by, tools are being developed (in fact they're used now) that completely randomize the TCP or UDP ports attacked, or use a variety of icmp types in the attack. So cuurrently the only way you can 'block' such attacks is to block all packets for the offending protocol as far upstream as you possibly can, but this is not ideal.
If you're being attacked by a SYN flood, you can ask try to rate-limit the flood at your border (possible on Cisco IOS 12.0 and higher, and probably other routers too?)
ACLs have been a good tool for the past number of years to stop DOS attacks but they suffer one very bad feature - they throw away the good packets along with the bad packets. The same goes for CAR. The same goes for taking a /32 and null routing it. Consider Amazon being hit with a DDOS attack from random spoofed IPs to their web site. You can't block on source IP since it is random. If you block on destination IP - you end up taking Amazon off the network (the ultimate aim of the attacker) at a daily revenue loss of over $1M.
So, just filter and track quickly... move the block as far back as you can. Have the customer remain agile also. :)