On Thu, 12 Jul 2001, David Harmelin wrote:
At 08:45 AM 7/12/01 -0700, Roeland Meyer wrote:
This is the main point, a script-kiddie hunt, with prosecution, is the ONLY real deterrent. Throw some of them in hotel greybar and remove them from computing, for life, and we may see some of this turn around.
If a lady wears skimpy clothing, does she deserve to get raped? Obviously, not. If a computer has skimpy protection, does it deserve to be turned into a zombie? Simply because you forget to lock your car one night (whilst in your driveway), do you deserve to have it stolen? If you leave a $100 on your kitchen table, in your unlocked house, whilst you are working in your garage, do I have the right to sneak in the back door and take it while avoiding prosecution, on the grounds that you were careless? WRT EFFnet, does a prostitute deserve to be raped?
By the way, for those who care, there are relatively easy ways to fight DoS attacks: * use netflow and a bunch of scripts to detect them automatically * use BGP to block them on all your border routers instantly, based on destination * use BGP and Unicast RPF to block them on all your border routers instantly, based on source, if you really need to
With a combination of all that, you can automatically block any major attack at your border.
Sorry- but after doing all of that, DDoS attacks still saturate even the largest circuits- thus denying the service.
Is it scalable? Yes.
Until the CPU overhead from netflow knocks out the router(s) from a mass-attack.
What about false alarms? We have implemented the detection bit. With a bit of tuning, we get 0.1% of false alarms and yet catch an average of 15 attacks per day, above 500 pkts/s (up to 10000s pkts/s). I wouldnt be surprised if Tier1 networks would catch much more attacks than that, with the same tool.
My point: block automatically 99% of the DoS attacks at the top 10 transit providers level, and we may see DoS attacks be a thing of the past. "Kiddies only do it because they can".
DH.
___________________________________________________________________ * * David Harmelin Network Engineer * * DANCERT Representative * Francis House * 112 Hills Road Tel +44 1223 302992 * Cambridge CB2 1PQ Fax +44 1223 303005 D A N T E United Kingdom WWW http://www.dante.net ____________________________________________________________________
--- Brad Baker Director: Network Operations American ISP brad@americanisp.net +1 303 984 5700 x12 http://www.americanisp.net/ Fortune-- I will always love the false image I had of you.