On Wed, 1 May 2002, Richard A Steenbergen wrote:
"DDoS attacks" is such a generic term. There are a wide variety of attacks which each need to be handled in their own way, the extra "D" is just one possible twist. Can you explain what kind of attack you're interested in?
We experience a lot of types of attacks ("education/research network" = "easy hacker target"). With DDoS incidents, it seems we are more often an unknowing/unwilling participant than the target, partly due to owning big chunks of IP address space. We most frequently are the zombie/reflector participants in an attack that originates outside our network, to a target outside our network. As many as 8,000 hosts on our network are reflecting SYN floods in the current attacks. Identification doesn't seem to be a problem. Snort is doing far too well notifying us. Responding and managing all of the defenses is becoming a lot of pain-staking work, and error-prone (why can't Cisco make ACLs easier to manage). Our approach so far has been temporary blocks (via ACL) of the target address. Blocking 8,000 internal addresses, many legitimate (secured) Web servers, generates more complaints. I'm thinking about a scripted Zebra feed where route injections are triggered by Snort. Routes for the target and/or SYN flood reflector hosts could be injected temporarily during the attack to border routers, which would route-map those routes to Null0. Script periodically withdraws routes to see if the attack is over (some of these last weeks, some only last a few seconds), to minimize the impact on those otherwise legitimate hosts. Has anyone tried this kind of an approach or any other type of automated/efficient approach to dampen the "zombie" side of the DDoS attack? Pete.