Something that people may want to consider doing is that assuming you are using hardware/software that can support rate-limit of specific packet types/rates, you could generate some rate-limits to limit specific types of traffic to various ranges. You can also use these initally to sample the traffic sufficently that one can determine what your typical rate is. Example: Create access-list that matches icmp echo+echo-reply Assuming a ds3/oc3/oc12 uplink, you can create a rate-limit on the router that limits the traffic to 1.5M with a burst to 2M. You can also do "sh int rate" on a cisco router to determine if these rates are what you are typically forwarding. You obviously need to adjust these somewhat over time as your traffic and network patterns change. You can do the same for tcp-syn http, etc.. by creating multiple rate-limits. (this is assuming cisco devices running 12.0S w/ the appropriate linecards that support this feature set just as an example. your mileage and network topology/linecard mix may not completely support this. please consult your appropriate vendor as most vendors these days can support these features. i'm just using cisco example as baseline). Once you figure this out you can then police your network traffic or possibly apply the same types of rate-limits on customer facing interfaces (esp. colo that tends to have high bw avaial but do't use it all the time). This is not based on any real-life experiences so collect your own data, but this may be useful for people to do. The problem of internet security and keeping your host(s) secure I think is the most important. Most software vendors are starting to ship [almost, if not] secure out of the box at this point. The challenge is upgrading all the existing hosts. There doesn't appear to be a good way to notify everyone unless it turns into a "cnn" type event where all the nightly news people are covering it. This also misses a large portion of the international community. The local media should take it upon themselves to help notify people to update their machines as well as the software distributiors and hardware people that sell prepackaged software (windows for example) that is installed. include the cost of postage and printing costs for mailing the users a postcard for the next 3 years once a month with all the things they should check their machines for. it's a challenge. hopefully everyone involved can step up and secure their networks to the [known] intrusion methods that allow abuse. - jared On Wed, Jan 16, 2002 at 02:24:10PM -0700, Barb Dijker wrote:
At 11:45 AM 1/16/02 -0600, Paul Froutan wrote:
Hello all, Can some of you with larger networks let me know about the volume of the DoS attacks you have experienced lately? Our experience has been that the volume (not just occurrence) is going up significantly and I'm curious on the size of attacks that people are experiencing. For reference, while a year or two ago we used to get 50-100 meg attacks, now we're getting 500+ megs.
I don't have a large network, but I had three yesterday morning between 7 and 10am MST and apparently one last night between 11:30pm and 2am MST that rippled through until 5am. That is way high. We typically see one every six months or so (modulo worms). These appeared to be customer hosts as unwitting dDoS participants... smaller than usual effects probably because we had participants/sources rather than targets, but one yesterday was big enough to take us down. Unix servers. No spoofing or amps involved (we filter). High pps, average packet size down to 66 bytes. Didn't snag a capture.
These were not nimda or any form thereof as we have cut off folks who were not fully patched.
...Barb
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.