Does anyone have a list of which ISPs are willing to filter ICMP packets for you when your network is being (D)DoS'd, and which prefer to simply blackhole / disconnect you, and which will do absolutely nothing?? I'm finding it hard to gather this information and it occured to me that this is an obvious factor when choosing an ISP! Thanks,
Filtering ICMP packets in DDoS attacks just makes the attacker attack harder. It's not a useful strategy except when protecting very slow links (T1 to 10Mbps) against very light attacks (32Mbps or less). The last few DDoS attacks I've tried to filter have resulted in attacks so significant there was nothing you could do at all. You will prompt a series of escalations this way. One new trick if the attacker can spoof is to take out a server on port 123 for IP 1.2.3.4 by swamping you with spoofed TCP SYN packets to that IP and port. The source IPs tend to be chosen from areas rich in major government and military sites. Filter them and the server is offline. Reply to them, and you are flooding thousands of innocent victims (with powerful response tactics) with unsolicited SYN ACK replies. If the attacker can't spoof, the sources are usually tracked and shutdown. Filtering just makes it so that you can't do the tracking and shutting down. So what's the good? Perhaps other people's experiences differ from mine. DS
On Thu, 28 Jun 2001, ASV wrote:
Does anyone have a list of which ISPs are willing to filter ICMP packets for you when your network is being (D)DoS'd, and which prefer to simply blackhole / disconnect you, and which will do absolutely nothing??
I'm finding it hard to gather this information and it occured to me that this is an obvious factor when choosing an ISP!
There are two kinds of icmp. The kind you absolutely need and the kind you don't. If you are running a service that is likely to get attention (dunno, an irc server or not universally liked content), you will want to filter the kind you do no don't absolutely need by default. Not that this helps you in any way, DoS attacks rarely use icmp these days. Lots of 'valid' packets is the keyword today. If you are being hammered by tcp packets on port 80 of your webserver, there is very little you can do but filter _real_ traffic. If it's a DDoS, being able to distinguish real traffic from the DoS-attack is going to be a pain. You will not find many providers who want to dig this deep at this point in time. Best service you can get to keep the rest of your network from falling down because of that one host is then to get it blackholed upstream. In the current atmosphere, the only real protection you can buy against Denial-of-Service attacks is by distributing your service. If you are distributed and they are distributed, the odds are better; You can sacrifice a host under attack without losing service. Hope that helps, Pi
On Thu, 28 Jun 2001, ASV wrote:
Does anyone have a list of which ISPs are willing to filter ICMP packets for you when your network is being (D)DoS'd, and which prefer to simply blackhole / disconnect you, and which will do absolutely nothing??
IMHO the best protection you can get from ICMP flooding is a permanent rate-limit on your upstream router to something between 1-5 % of the line capacity - You won't feel it unless you have a DoS attack and then it kicks automagically NOTE: depending on your "normal" traffic you want to rate limit UDP to something between say 20-50 % of line capacity - Rafi
I'm finding it hard to gather this information and it occured to me that this is an obvious factor when choosing an ISP!
Thanks,
participants (4)
-
ASV
-
David Schwartz
-
Pim van Riezen
-
Rafi Sadowsky