On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent wrote:
I've been trying to find out what the current BCP is for handling ddos attacks. Mostly what I find is material about how to be a good net.citizen (we already are), how to tune a kernel to better withstand a syn flood, router stuff you can do to protect hosts behind it, how to track the attack back to the source, how to determine the nature of the traffic, etc.
But I don't care about most of that. I care that a gazillion pps are crushing our border routers (7206/npe-g1).
Other than getting bigger routers, is it still the case that the best we can do is identify the target IP (with netflow, for example) and have upstreams blackhole it?
or acl it. some providers offer blackhole services where you can inject a route to them via bgp over the same session (with communities) or over a different session that just takes blackhole routes.. that can be used by you to cause them to null0/discard the traffic within their network automatically.. with junipers being used commonly these days, and their ability to write long, complex firewall filters, I think you're seeing more people do fancier things.. I've placed filters for at least one customer (for the duration of a DoS) that match on specific packet sizes or packet ranges of a specific type. The more you know about the profile of the attack you have going on, the better others can help you mitigate it.. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.