Re: Proactive steps to prevent DDOS?
On Fri, 26 January 2001, John Hawkinson wrote:
This is the "state a fact that might be wrong to poll for dissent," approach?
Yep.
I don't find it a very pleasant style of discourse.
Fine, does this work better for you? Help me, what proactive steps can I take to protect my network from a DDOS?
At 4:15 PM -0800 1/26/01, Sean Donelan wrote: Fine, does this work better for you?
Help me, what proactive steps can I take to protect my network from a DDOS?
There isn't a lot that can be done, but there are a few steps you can take to "get ready" for a DDOS attack. --Make sure you have monitoring of your routers or firewalls in place so you'll get an early alert of a possible DOS attack. This will at least allow you to start working on the problem (and drafting press releases :-). --Talk to all of your up stream providers so you know how to contact and work with them if they are a source of a DOS attack against you. If your up stream provider isn't willing to work with you on this, start the process of getting a new up stream provider. --Look into the systems that are being developed and starting to become available that help automate the work to diagnose DDOS attacks. Encourage your up streams to do the same. --Make sure you have in place the filtering on your own networks that you wish everyone else had in place on their networks. This won't protect you from being attacked, but it will prevent you and your users from attacking others (or at least using spoofed IP addresses to do so), and that in turn may prevent you from being the target of a retaliatory DOS attack. It can also prevent or limit the spread of a DOS attack that originates within your network or from someone down stream. From your customer's point of view there may not be much difference between you being the source of or the target of a DOS attack--either way performance is likely to be poor and customers are likely to be unhappy. -Jeff Ogden Merit
Help me, what proactive steps can I take to protect my network from a DDOS?
There isn't a lot that can be done, but there are a few steps you can take to "get ready" for a DDOS attack.
--Make sure you have monitoring of your routers or firewalls in place so you'll get an early alert of a possible DOS attack. This will at least allow you to start working on the problem (and drafting press releases :-).
I would add careful use of some rate-limiting functionality, (already mentioned in Richard Steenbergen's http://www.e-gerbil.net/ras/dos.txt) so you can rate-limit things like icmp and acks numbered 0 and anything else that show themselves to be obvious candidates over time. As well, for us, part of "being ready" is knowing how to: - deploy rate-limiters (so you're not trying to learn it during an attack) - having ways to identify the target(s) of the attack -- predefined ACLs that are not applied but can be, to help determine the target(s), rmon probes, working knowledge of tcpdump or network sniffers, etc. i.e. deploy ACLs on egress routers that can be enabled when an attack begins. A set of carefully defined filters can help determine information about the attack -- perhaps the src or dst or ports, or the fact that it's all random. Then ACLs to block or rate-limit can be built and applied, and/or if you're asking your upstream to take actions to help you, you can help them help you if you have information about the nature of the attack. Granted it's a blunt instrument, but it has worked for me in the past when an attack has rendered better tools useless.
--Talk to all of your up stream providers so you know how to contact and work with them if they are a source of a DOS attack against you. If your up stream provider isn't willing to work with you on this, start the process of getting a new up stream provider.
--Look into the systems that are being developed and starting to become available that help automate the work to diagnose DDOS attacks. Encourage your up streams to do the same.
--Make sure you have in place the filtering on your own networks that you wish everyone else had in place on their networks. This won't protect you from being attacked, but it will prevent you and your users from attacking others (or at least using spoofed IP addresses to do so), and that in turn may prevent you from being the target of a retaliatory DOS attack. It can also prevent or limit the spread of a DOS attack that originates within your network or from someone down stream. From your customer's point of view there may not be much difference between you being the source of or the target of a DOS attack--either way performance is likely to be poor and customers are likely to be unhappy.
-Jeff Ogden Merit
At 12:52 27/01/01 -0500, Jeff Ogden wrote:
At 4:15 PM -0800 1/26/01, Sean Donelan wrote: Fine, does this work better for you?
Help me, what proactive steps can I take to protect my network from a DDOS?
There isn't a lot that can be done, but there are a few steps you can take to "get ready" for a DDOS attack.
--Make sure you have monitoring of your routers or firewalls in place so you'll get an early alert of a possible DOS attack. This will at least allow you to start working on the problem (and drafting press releases :-). --Talk to all of your up stream providers so you know how to contact and work with them if they are a source of a DOS attack against you. If your up stream provider isn't willing to work with you on this, start the process of getting a new up stream provider.
--Look into the systems that are being developed and starting to become available that help automate the work to diagnose DDOS attacks. Encourage your up streams to do the same.
I know of just Asta Networks: Asta Networks claims cure for denial-of-service attacks, Jan 17, 2001 http://www.nwfusion.com/news/2001/0117ddos.html Firm eyes DOS attacks, Jan 22, 2001 http://www.nwfusion.com/archive/2001/115979_01-22-2001.html Can you elaborate on others you may know? -Hank
--Make sure you have in place the filtering on your own networks that you wish everyone else had in place on their networks. This won't protect you from being attacked, but it will prevent you and your users from attacking others (or at least using spoofed IP addresses to do so), and that in turn may prevent you from being the target of a retaliatory DOS attack. It can also prevent or limit the spread of a DOS attack that originates within your network or from someone down stream. From your customer's point of view there may not be much difference between you being the source of or the target of a DOS attack--either way performance is likely to be poor and customers are likely to be unhappy.
-Jeff Ogden Merit
At 9:27 AM +0200 1/29/01, Hank Nussbacher wrote:
At 12:52 27/01/01 -0500, Jeff Ogden wrote: --Look into the systems that are being developed and starting to become available that help automate the work to diagnose DDOS attacks. Encourage your up streams to do the same.
I know of just Asta Networks: Asta Networks claims cure for denial-of-service attacks, Jan 17, 2001 http://www.nwfusion.com/news/2001/0117ddos.html Firm eyes DOS attacks, Jan 22, 2001 http://www.nwfusion.com/archive/2001/115979_01-22-2001.html
Can you elaborate on others you may know?
-Hank
Yes, Asta is one. There is a DARPA funded research project called Lighthouse at the University of Michigan that is working in this area. Merit has been involved mostly by giving them access to traffic on a real operational network. See: http://www.darpa.mil/leaving.asp?url=http://www.eecs.umich.edu/lighthouse I understand that there are other DARPA funded efforts working on different aspects of the DOS problem (automatic detection, trace back, counter measures). Take a look at "Networking & Distributed Systems" under http://www.darpa.mil/ito/ResearchAreas.html In particular see: http://www.darpa.mil/ito/psum2000/J032-0.html http://www.darpa.mil/ito/psum2000/J910-0.html http://www.darpa.mil/ito/psum2000/J028-0.html
DANTE has also developped a tool made of in-house scripts, a database and based on netflow exports, that detects more DoS attacks than manpower is available to treat. Still, it enables us to log, and treat, the major (long lasting, repeting, extremely distributed, powerful, you name it) ones. However, we have discovered the following interesting paradox: - the most transit traffic a network carries, the most likely it will also carry DoS attacks, the most DoS attacks will be noticed and the higher the costs associated to DDoS will be - once an attack is detected on a transit network, getting the correct administration of the end sites to actually do something about it, is the real problem, especially if those end sites are not direct peers (which, for some major transit networks, is always the case). As usual, it is enough one administration in the chain has not enough manpower/does not understand the problem or ways to fix it/thinks the problem is not worth fixing/has different priorities for DDoS compromised hosts to remain compromised for months. Its good to see the awareness is being raised recently, though. DH. At 08:47 AM 1/29/01 -0500, Jeff Ogden wrote:
At 9:27 AM +0200 1/29/01, Hank Nussbacher wrote:
At 12:52 27/01/01 -0500, Jeff Ogden wrote: --Look into the systems that are being developed and starting to become available that help automate the work to diagnose DDOS attacks. Encourage your up streams to do the same.
I know of just Asta Networks: Asta Networks claims cure for denial-of-service attacks, Jan 17, 2001 http://www.nwfusion.com/news/2001/0117ddos.html Firm eyes DOS attacks, Jan 22, 2001 http://www.nwfusion.com/archive/2001/115979_01-22-2001.html
Can you elaborate on others you may know?
-Hank
Yes, Asta is one.
There is a DARPA funded research project called Lighthouse at the University of Michigan that is working in this area. Merit has been involved mostly by giving them access to traffic on a real operational network. See:
http://www.darpa.mil/leaving.asp?url=http://www.eecs.umich.edu/lighthouse
I understand that there are other DARPA funded efforts working on different aspects of the DOS problem (automatic detection, trace back, counter measures).
Take a look at "Networking & Distributed Systems" under
http://www.darpa.mil/ito/ResearchAreas.html
In particular see:
http://www.darpa.mil/ito/psum2000/J032-0.html http://www.darpa.mil/ito/psum2000/J910-0.html http://www.darpa.mil/ito/psum2000/J028-0.html
___________________________________________________________________ * * David Harmelin Network Engineer * * DANCERT Representative * Francis House * 112 Hills Road Tel +44 1223 302992 * Cambridge CB2 1PQ Fax +44 1223 303005 D A N T E United Kingdom WWW http://www.dante.net ____________________________________________________________________
On Mon, Jan 29, 2001 at 03:00:36PM +0000, David Harmelin wrote:
DANTE has also developped a tool made of in-house scripts, a database and based on netflow exports, that detects more DoS attacks than manpower is available to treat [...]
Any chance folks on this list would be willing to share the source (or failing that, _detailed_ tech specs) to their DoS detection tools? Or is the general consensus still that this is a big no-no, not even up for discussion, as such tools are highly proprietary, and the public scrutiny resulting from such a release would be a Bad Thing(TM)? I'm sure I'm not alone in saying that lots of smaller folks wouldn't mind deploying these, but lack the in-house resources needed to develop them from the ground up. -adam
On Sat, Jan 27, 2001, Jeff Ogden wrote:
At 4:15 PM -0800 1/26/01, Sean Donelan wrote: Fine, does this work better for you?
Help me, what proactive steps can I take to protect my network from a DDOS?
There isn't a lot that can be done, but there are a few steps you can take to "get ready" for a DDOS attack.
[snip] Does anyone have any nifty ideas on how we can *squash* this? The script kiddies are only going to get more clever (or their utilities are), and it seems that the majority of the ideas people have for DoS/DDoS seem to be limited to trying to treat the symptoms. (.. which, even demonstrated yesterday by someone hosting an efnet server, requires extremely good coordination and contacts with the "large players" for it to be effective.) 2c, Adrian
At 04:15 PM 1/26/01 -0800, Sean Donelan wrote:
Fine, does this work better for you?
Help me, what proactive steps can I take to protect my network from a DDOS?
We've got this document on the company's public-facing web site: http://www.genuity.com/securitymatters/rundown004.htm and I think we've also got some more documents that our Customer Service Center distributes. Have you tried calling Genuity and asking? I would expect that you would get a productive response. cheers Betsy (not in that area of things myself) -- Elizabeth Schwartz 781-262-6565 Unix System Administrator eschwart@genuity.net Genuity, Inc
participants (8)
-
Adam Rothschild
-
Adrian Chadd
-
Dave Curado
-
David Harmelin
-
Elizabeth Schwartz
-
Hank Nussbacher
-
Jeff Ogden
-
Sean Donelan