The dearth of comprehensive BCP asserting the end-all-be-all for DDoS is likely and largely due to the lack of an end-all-be-all DDoS. The range of variants, strains, chewy fillings and flavors of fuxor out there beg different techniques for alleviation, so prescribing a single poultice for blanket application does not seem to be in wide practice outside marketing stratagem and other blustering. The resources requiring protection and receiving priority, as well as the trade-off in exacting reactive measures, also have a say in how things are managed. In general, however, yeah...identifying the source or target is a must. Or a source port or destination port or protocol type or packet size or point of ingress/egress...the list of signature-worthy candidates is significant and also determines how a DDoS is triaged. The only thing that can be said for certain is that *some* unifying factor must be discovered. :P Furthermore, how you do that and what you do with that is a fluid thing, and further refinement or definition of the type of DDoS you are seeking to relieve may be required before you will be able to root out an attack management template that is worth its salt. Blackhole servers, sinkhole routers, IDS, extrusion detection, heuristic baselining, and definitely bigger routers never hurt this effort either. ;) If you are able to elaborate on what you might be seeking to accomplish on- or off-list, I will try to proffer any appropriate resources I have available. Good luck. --ra -- Rachael Treu-Gomes, CISSP rara@navigo.com ..quis costodiet ipsos custodes?.. On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent said something to the effect of:
I've been trying to find out what the current BCP is for handling ddos attacks. Mostly what I find is material about how to be a good net.citizen (we already are), how to tune a kernel to better withstand a syn flood, router stuff you can do to protect hosts behind it, how to track the attack back to the source, how to determine the nature of the traffic, etc.
But I don't care about most of that. I care that a gazillion pps are crushing our border routers (7206/npe-g1).
Other than getting bigger routers, is it still the case that the best we can do is identify the target IP (with netflow, for example) and have upstreams blackhole it?
Thanks, -mark