On Thu, 17 Jan 2002, Pascal Gloor wrote: Hey Spale :-)
If you run an well dDoS'ed IRC Server on your network I have a solution for you... not the best one, but still technically working..
get a /24 (be carefull that there is no bigger network announced which would include it!!! i mean like if you get 10.10.10/24, 10/8 would include it)
For those of you who don't really get the picture here, here is a real life example: My boss hosts the proxyscanner for the Undernet IRC network. For kiddies, this means they are unable to load floodnets onto the Undernet. This makes it a sitting ddos target. Fortunately, no real DDoS have taken place (just a few in december of about 10mbit/s each) but in case they do, I just stop announcing 193.109.122.0/24 to my uplinks. This netblock was requested and assigned specially for the IRC service. No, it's not a waste of IP space, we host other "ddos sensitive" stuff in there too. The fact that most DDoS attacks are IRC related imho points out with the kind of people we are dealing with. Young kids who's ego is bigger then their ability to take a step back from someone who calls them names on a channel they are visiting.
Get a box, and run Zebra BGPD, which will announce that /24 to your network. Then do a script which monitors the traffic to the irc server, and on a certain threshold, kill BGPD. wait a certain time, like 15minutes or so, and restart BGPD. It would be nice to check the traffic every minute and if 2 consecutive checks are positive kill bgpd. That mean that you may be able to STOP dDoS to irc servers within 2-3 minutes...
This is a method I personally don't use; this would mean a lot of route flapping/dampening. If a ddos lasts that long I just stop the announcements for at least 24 hrs. On a side note, it is of course a shame that site administrators have to take measures going as far as requesting PI ip space from RIPE (or ARIN, whatever you prefer) in order to protect their networks against DDoS attacks by young people who probably don't have the slightest idea what they are doing. -- Sabri Berisha "I route, therefore you are" ~ my own opinions etc ~ http://www.cluecentral.net