As far as I know, with the current level of awareness, everyone's working hard on prevention or protection from vulnerabilities of DOS/DDOS. But when it comes to what to do when you are in the thick of a DOS or DDOS attack, the jury is still out on that one, I guess. What I have learned from a white paper by Barry Greene of Cisco are the following tibbits for "when you are in it": After an attack is identified or classified, if 1. Spoofed RFC1918 and special use addresses - block or drop it. 2. Spoofed addresses that are not in Global route table - drop it. 3. valid address from a compromised DDOS agent - either drop it or rate limit the port. 4. spoofed valid address from somewhere on the Internet - the hardest to deal with, no clear course action for this. You can get the more out of the white paper off Cisco's web site at http://www.cisco.com/public/cons/isp/documents/ additional articles include: http://www.networkmagazine.com/article/NMG20001130S0002 http://www.networkmagazine.com/article/NMG20000512S0041 Hope this helps, Just my thoughts Jake -------------------------- Chin Wey Jake Network Engineer Pacific Century Cyberworks Singapore -------------------------- -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Valdis.Kletnieks@vt.edu Sent: Saturday, January 27, 2001 12:54 PM To: Sean Donelan Cc: rja@inet.org; nanog@merit.edu Subject: Re: Proactive steps to prevent DDOS? On Fri, 26 Jan 2001 16:40:04 PST, Sean Donelan said:
Most are suggestions for what other networks can do to prevent them from being a source of a DDOS attack. There is less help for what the target of a DDOS can do.
Unfortunately, the current draft document for the Center for Internet Security (www.cisecurity.org) Solaris security checklist suffers from the same problem. It mandates RFC2644 broadcasts, RFC1918 martian and RFC2827 egress filtering, but I couldn't find any stuff on the victim end of it. If anybody can provide me with a good reference, I'll be happy to add it and give credit. http://www.sans.org/dosstep/index.htm is what I have currently on filtering. If you have a *partial* reference (something that will work for *many* or *most* sites, for example), I am able to phrase it as "Evaluate the techniques listed at <URL> for appropriateness". Anybody got input to add? Valdis Kletnieks Operating Systems Analyst Virginia Tech