Re: Proactive steps to prevent DDOS?
Sean, What you can do is enforce policy on your AS boundaries which: - rate limits ICMP - counts ICMP to detect floods, a monitoring script on your NMS can determine when the ICMP threshold has been exceeded and then determine the source and dest of the bulk of that ICMP traffic, then change your filters to discard ICMP to the host under attack while in parallel notify the NOC of the source or intermediary involved - For SYN floods - there may be no way to stop them but early warning can be achieved by counting both TCP SYN and total TCP and when the ratio of TCP SYN to TCP exceeds your threshold you can notify the NOC of the incoming intfc. When you understand the characteristics of the attacks or probes you are trying to stop, there are some powerful filtering and counting techniques which can be left in place at your edges and used in conjunction with monitoring scripts. Thanks Sean --- Sean Donelan <sean@donelan.com> wrote:
Ok, Yahoo, Ebay, Amazon and Microsoft have all made essentially the same statement after being hit by a DDOS: "taken steps to improve protection of their networks from this type of attack."
My question is What are these steps, and why can't people take them before they experience a DDOS?
Is there some magic command I can put into my router to help protect my network from a DDOS, or is this just PR fluff to make it look like the corporation is doing something. But in reality there is nothing you can do, but wait for the attacker to get bored and stop on their own.
__________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/
On Mon, 29 Jan 2001 08:16:27 PST, Sean Capshaw <scapshaw@yahoo.com> said:
of the bulk of that ICMP traffic, then change your filters to discard ICMP to the host under attack while in parallel notify the NOC of the source or intermediary involved
*attempt* to notify the NOC.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Mon, Jan 29, 2001 at 11:34:10AM -0500, Valdis.Kletnieks@vt.edu wrote:
On Mon, 29 Jan 2001 08:16:27 PST, Sean Capshaw <scapshaw@yahoo.com> said:
of the bulk of that ICMP traffic, then change your filters to discard ICMP to the host under attack while in parallel notify the NOC of the source or intermediary involved
*attempt* to notify the NOC....
Oh, I never had problems notifying NOCs... getting them to *do* something or call someone is the trick. I can't remember which large ISP it was that told me that the only way I'd be connected to their network was if I was a customer with a customer number. "i don't think so" -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 To send me mail, use the address in the From: header
participants (3)
-
John Payne
-
Sean Capshaw
-
Valdis.Kletnieks@vt.edu