-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jack Bates schrieb:
Paul Vixie wrote:
Do you have a miraculous way to stop DDOS? Is there now a way to quickly and efficiently track down forged packets? Is there a remedy to shutting down the *known* botnets, not to mention the unknown ones?
This is another issue, and _all_ of us are in charge to keep their net clean from outgoing DoS. Most outgoing DoS inside our network are mitigated - ok most of the time the dos'ing server is being disconnected - in less than 10 minutes, as we do not only check what's coming in, but also check what our customers are sending out. And as soon as someone forges IPs, he's disconnected unless we know what was happening (mostly hacked servers) and the issue was fixed. As it is the nature of DoS that there are lots of packets send, they can easily be identified in (s|c|net)flows ... unfortunately there are _lots_ of ISP not having automated mechanism for misuse-detection and mitigation, or if they have some, they don't care about alarms. Therefore I agree, the only practicable way to protect the majority of customers is to blackhole the IP under attack. Even if the DoS is not DDoS, but coming from one single source... 99,9% of any emails to any NOC worldwide is not being answered in less than one hour (especially in "out-shift-hours") and from the 0.1% left I bet 99,9% of the DoS are also not stopped during this hour. And one hour of DoS may make some small ISP loose more money then they earn per month!
While all this is worked out, we have one solution we know works. If we null route the victim IP, the traffic stops at the null route. Since most attackers don't care to DOS the ISP, but just to take care of that end point, they usually don't start shifting targets to try and keep the ISP itself out.
ACK!
Jack
- -- =================================================================== Jens Ott Leiter Network Management Tel: +49 22 33 - 612 - 3501 Fax: +49 22 33 - 612 - 53501 E-Mail: j.ott@plusserver.de GPG-Fingerprint: 808A EADF C476 FABE 2366 8402 31FD 328C C2CA 7D7A PlusServer AG Daimlerstraße 9-11 50354 Hürth Germany HRB 58428 / Amtsgericht Köln, USt-ID DE216 740 823 Vorstand: Jochen Berger, Frank Gross, Jan Osthues, Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger =================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmVv5EACgkQMf0yjMLKfXptpQCeNNgDOxXWoTBHA5W5yCwifcG2 IasAnAh06DE3qry/puXzBs05pBfIMSS/ =boMf -----END PGP SIGNATURE-----