Re: Advanced Countermeasures to prevent a Ddos
At 16:38 19/07/01 -0400, you wrote: It all hinges on your upstream ISPs. The things to ask for are: - SYN and ICMP rate limiting: If you buy a T3 from your upstream, you should ask that they place on *their* peering routers and on the router facing you, Cisco rate limits of about 512kb/sec of ICMP and about 128kb/sec of SYNs. Pay extra if need be. - anti-spoofing: require your upstream ISPs to implement full anti-spoofing for incoming packets. That includes RFC1918, unassigned IANA blocks and (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco ip verify unicast reverse-path) - BGP community: Your upstream should allow you to announce a BGP community for any sub-prefix in your IP block (meaning he has to not be strict in the length of the prefix you announce to him since it can change dynamically) that will me ROUTENULL, which means they eat the packets for you. Find 2 upstreams who will agree to the above 3 items and you are 99% safe from dDoS. -Hank
I was wondering if anyone on this list has considered the idea of trying to eliminate Ddos attacks while designing their Data Centre's network topology. If so, did you include server isolation and or distribution?
Secondly, is it even possible to eliminate (or as close to elimination as one can have in the tech world) Ddos attacks with network design and server implementation. Does anyone have an advanced understanding of these issues and if so are you willing to exchange information off-line?
Scott E. MacKenzie semackenzie@crop.attcanada.ca
On Fri, 20 Jul 2001, Hank Nussbacher wrote:
At 16:38 19/07/01 -0400, you wrote:
It all hinges on your upstream ISPs. The things to ask for are:
- SYN and ICMP rate limiting: If you buy a T3 from your upstream, you should ask that they place on *their* peering routers and on the router facing you, Cisco rate limits of about 512kb/sec of ICMP and about 128kb/sec of SYNs. Pay extra if need be.
This means I only need a modem to synflood your network out of order. Rate-limits are only worthwhile for 'well behaved' flows, DoS is by definition NOT well-behaved.
On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote:
It all hinges on your upstream ISPs. The things to ask for are:
- SYN and ICMP rate limiting: If you buy a T3 from your upstream, you should ask that they place on *their* peering routers and on the router facing you, Cisco rate limits of about 512kb/sec of ICMP and about 128kb/sec of SYNs. Pay extra if need be.
512Kbps for ICMP? I'd go for 128Kbps if not less. TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip. It will take just one or two modems to take you down, as an example someone portscanning your network. Ask for hot [potential] targets only: ircd, shell systems, router interfaces. Do it per box, plus same rules for all of your router interfaces heading the big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP traffic during life attack. Before placing something permanent you need to adjust and play with this.
- anti-spoofing: require your upstream ISPs to implement full anti-spoofing for incoming packets. That includes RFC1918, unassigned IANA blocks and (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco ip verify unicast reverse-path)
Sounds good. check 'ip verify unicast source reachable-via any' as well http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf new uRPF works if you're multihomed too.
- BGP community: Your upstream should allow you to announce a BGP community for any sub-prefix in your IP block (meaning he has to not be strict in the length of the prefix you announce to him since it can change dynamically) that will me ROUTENULL, which means they eat the packets for you.
Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;)
Find 2 upstreams who will agree to the above 3 items and you are 99% safe from dDoS.
And I can still take you down with 1. tcp fin 2. tcp psh 3. tcp rst 4. tcp ack 5. tcp urg 6. tcp frags 7. udp 8. ip frags I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits per your hot stuff and another ~10 for router interfaces. If you do manage to get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids can and most likely will find a hole to take you down, just takes time. -Basil
At 00:22 20/07/01 -0500, Basil Kruglov wrote:
On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote:
It all hinges on your upstream ISPs. The things to ask for are:
- SYN and ICMP rate limiting: If you buy a T3 from your upstream, you should ask that they place on *their* peering routers and on the router facing you, Cisco rate limits of about 512kb/sec of ICMP and about 128kb/sec of SYNs. Pay extra if need be.
512Kbps for ICMP? I'd go for 128Kbps if not less.
YMMV. It all depends on how big a pipe you use. The numbers are examples and each site would have to determine what number works best for them.
TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip. It will take just one or two modems to take you down, as an example someone portscanning your network.
Ask for hot [potential] targets only: ircd, shell systems, router interfaces. Do it per box, plus same rules for all of your router interfaces heading the big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP traffic during life attack.
Before placing something permanent you need to adjust and play with this.
- anti-spoofing: require your upstream ISPs to implement full anti-spoofing for incoming packets. That includes RFC1918, unassigned IANA blocks and (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco ip verify unicast reverse-path)
Sounds good. check 'ip verify unicast source reachable-via any' as well http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf new uRPF works if you're multihomed too.
- BGP community: Your upstream should allow you to announce a BGP community for any sub-prefix in your IP block (meaning he has to not be strict in the length of the prefix you announce to him since it can change dynamically) that will me ROUTENULL, which means they eat the packets for you.
Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;)
Find 2 upstreams who will agree to the above 3 items and you are 99% safe from dDoS.
And I can still take you down with
1. tcp fin 2. tcp psh 3. tcp rst 4. tcp ack 5. tcp urg 6. tcp frags 7. udp 8. ip frags
I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits per your hot stuff and another ~10 for router interfaces. If you do manage to get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids
I would be happy with even 90%. Life is never 100% - just a continuing stream of compromises. -Hank
can and most likely will find a hole to take you down, just takes time.
-Basil
participants (3)
-
Basil Kruglov -
Christopher L. Morrow -
Hank Nussbacher