On Thursday, May 20, 2004 2:52 PM, Mark Kent wrote:
I've been trying to find out what the current BCP is for handling ddos attacks. Mostly what I find is material about how to be a good net.citizen (we already are), how to tune a kernel to better withstand a syn flood, router stuff you can do to protect hosts behind it, how to track the attack back to the source, how to determine the nature of the traffic, etc.
This depends entirely on your definition of handling. To some people this means shutting down the victim to save the network as a whole. To others this means keeping everyone running smoothly, including the victim. The latter is preferred of course, but it is not for those who aren't willing to pay for it.
But I don't care about most of that. I care that a gazillion pps are crushing our border routers (7206/npe-g1).
Other than getting bigger routers, is it still the case that the best we can do is identify the target IP (with netflow, for example) and have upstreams blackhole it?
It sounds like you're willing to blackhole the victim. In that case, yes, netflow is highly useful in finding out just who is getting attacked. Once you have that information, you can either manually contact your upstreams to have them null route the destination IP, or better yet, arrange ahead of time for a way to send properly tagged BGP announcements to them to blackhole /32s anytime you want. The alternative is to get bigger links, bigger routers, and protect the host. For bigger links and bigger routers, keep PPS in mind. Some attacks are large packets and large bandwidth, with low PPS. Other attacks are low bandwidth, but high PPS. I get hit pretty regularly with 500k-600k PPS of SYNs. While this only adds up to a few hundred megabits of traffic, that is a lot of PPS for many routers, firewalls, servers, or whatever else they might hit. Junipers, for example, have no problem with high PPS. Second, you have to figure out how to protect the host(s). We've gone with Riverhead (recently bought by Cisco) and they work quite well. I've seen attacks as high as around 650k PPS of spoofed SYNs, and the site running on a single (relatively weak) server remains up and generally unaffected by the attack.