On Wed, 1 May 2002, Pete Kruckenberg wrote:
A rather extensive survey of DDoS papers has not resulted in much on this topic.
What processes and/or tools are large networks using to identify and limit the impact of DDoS attacks?
Hazaa.. something I know a little about. DDoS attacks by their very nature, are distributed. The primary purpose of more DDoS attacks is to flood the target's upstream connection to the point of saturation. As time goes by, tools are being developed (in fact they're used now) that completely randomize the TCP or UDP ports attacked, or use a variety of icmp types in the attack. So cuurrently the only way you can 'block' such attacks is to block all packets for the offending protocol as far upstream as you possibly can, but this is not ideal. If you're being attacked by a SYN flood, you can ask try to rate-limit the flood at your border (possible on Cisco IOS 12.0 and higher, and probably other routers too?) If you're being smurfed, you can block ICMP Echo Reply's inbound to the target IP. It all depends on the TYPE of attack. Having said that, it's only a matter of time before somebody releases a tool that saturates a line by spooofing the source, randomizing the protocol, and ports, and maybe even atacking other hosts on the same subnet, etc etc. The only thing you can try and do is work with your upstream provider and try to trace the source of the attacks back, but that's incredibly difficult. As a side note, does anyone know the status of the ICMP Traceback proposal? The ieft draft expired yesterday: http://www.ietf.org/internet-drafts/draft-ietf-itrace-01.txt