Ok, Yahoo, Ebay, Amazon and Microsoft have all made essentially the same statement after being hit by a DDOS: "taken steps to improve protection of their networks from this type of attack." My question is What are these steps, and why can't people take them before they experience a DDOS? Is there some magic command I can put into my router to help protect my network from a DDOS, or is this just PR fluff to make it look like the corporation is doing something. But in reality there is nothing you can do, but wait for the attacker to get bored and stop on their own.
Ok, Yahoo, Ebay, Amazon and Microsoft have all made essentially the same statement after being hit by a DDOS: "taken steps to improve protection of their networks from this type of attack."
My question is What are these steps, and why can't people take them before they experience a DDOS?
Is there some magic command I can put into my router to help protect my network from a DDOS, or is this just PR fluff to make it look like the corporation is doing something.
How aobut neither?
But in reality there is nothing you can do, but wait for the attacker to get bored and stop on their own.
This is the "state a fact that might be wrong to poll for dissent," approach? Some people have, or are working on, automated tools that try to detect-and-then-filter-at-the-border DDOS attacks when they happen. This is something to do that is not useless PR fluff that is not a magic command. --jhawk
On Fri, Jan 26, 2001 at 03:35:50PM -0800, Sean Donelan wrote:
Is there some magic command I can put into my router to help protect my network from a DDOS [...]
Closest command I've found is "no ip routing" in IOS, or "delete family inet [...]" in JunOS. That aside, there's something very basic that few people seem to realize -- if you have no route to a destination, you can't initiate a DDoS attack against it. What's to prevent high-visibility shell/IRC/web/etc servers (read: DDoS targets) from announcing their netblocks to their upstreams, and then withdrawing these announcements -- either manually, or automagically, using scripts monitoring rate limiting and pkt/sec thresholds, amongst other things -- when under attack. Sure, that would result in temporary loss of connectivity to said host, but sometimes, that's the quickest way to stop a large attack. This doesn't need to be a costly endeavor. Zebra is perfectly stable when receiving no routes, and announcing a couple of networks at the most. You'll find that lots of folks who have legacy class C (or B even!) and AS number assignments they're not currently using, dating back to before the ARIN charged for such things, are more than willing to transfer/lend them to you when you ask politely. Don't believe me? Try it sometime. -adam
On Fri, 26 Jan 2001, Adam Rothschild wrote:
What's to prevent high-visibility shell/IRC/web/etc servers (read: DDoS targets) from announcing their netblocks to their upstreams, and Read: DDoS targets which bring no cash revenue, essentially loss-leaders. That doesn't quite work when ebay.com is being DDoSed (uh, guys, we fixed the problem, you can now browse, but, sorry, we withdrew the route to our production server to accomplish that).
This doesn't need to be a costly endeavor. Zebra is perfectly stable when receiving no routes, and announcing a couple of networks at the most. You'll find that lots of folks who have legacy class C (or B even!) and AS number assignments they're not currently using, dating back to before the ARIN charged for such things, are more than willing to transfer/lend them to you when you ask politely. Don't believe me? Try it sometime. Tried that, didn't have much luck. Possibly, eventually, when we'll have clearinghouse for IPs, and most likely old swamp IPs would have far higher valuations than just regular PI netblocks...
-alex
On Sat, Jan 27, 2001 at 12:16:33AM -0500, Richard A. Steenbergen wrote:
This is useful, and would make for an interesting NANOG presentation. On Sat, Jan 27, 2001 at 12:42:20AM -0500, Alex Pilosov wrote:
Read: DDoS targets which bring no cash revenue, essentially loss-leaders.
You'd be surprised much much publicity (and in turn, legitimate business) hosting an IRC server has brought various providers. But that's beyond the scope of this discussion.
That doesn't quite work when ebay.com is being DDoSed [...]
Nope, nor is it really intended to. What it will do is, help protect smaller hosts/networks targeted by less determined DDoS kiddies -- the type who'll realize "d'oh, I can't reach this anymore!" and move on to to their next target. And if nothing else, it will protect smaller people w/ 95% burstable pipes, whose upstreams aren't willing lend a hand when they're under attack, from having their monthly bandwidth bills skyrocket. -adam
participants (4)
-
Adam Rothschild
-
Alex Pilosov
-
John Hawkinson
-
Sean Donelan