mike.lyon@gmail.com ("Mike Lyon") writes:
So, i'm kind of new to this so please deal with my ignorance.
:-). on the internet, everybody's new to everything since it's all changing every day. if anybody grumps at you for your ignorance, or says "i can't type that into an IOS prompt" then the fault is theirs.
But, what is common practice these days for HTTP DDoS mitigation during an attack? You can of course route every offending ip address to null0 at your border. But, if it's a botnet or trojan or something, It's coming from numerous different source IPs and Null0 routes can get very cumbersome. obviously. How do you folk usually deal with this?
i only use or recommend operating systems that have their own host based firewalls. soon that will mean pf (from openbsd but available on freebsd) but right now that means ipfw. ipfw has a "table" construct which uses a data structure similar to the kernel's routing table. with a little bit of tuning, and using X86_64 to get more kernel memory map space than I386, i've listed every member of 60K-node botnets in a table whose only use is "if a SYN comes from here, silently drop it with no ICMP response". with more tuning work, a 200K-node botnet would pose no problem. we populate these tables with a perl script that watches the apache server's logfiles. -- Paul Vixie