Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: mitigating ddos attacks

From: Kevin Willock <kevin () cipher1 com>
Date: Fri, 12 Nov 2004 15:17:46 -0700
tito.basa wrote:
when one client or a network link is found to be misbehaving, i'd scan for abnormal traffic, logs in firewalls/routers, or my favorite netflow (from cisco) 

there i can get the source/destination address of the attack.
once determined, i'd either
null route
filter with ACLS (after tracing back to my network edge)
rate-limit
in most cases, i'd contact my upstreams to block the source and traceback. Problem is not all my uplinks can respond to my call, so having the ability to re-route traffic to a single link (if availale) through BGP and asking just 
one uplink to do trace/block it (some problem iis when addresses
are spoofed)
The problem with this solution is that with the current model for blocking DDoS attacks, you will often have to block a large block of IP's as, not only do they spoof the IP addresses, but they often are run from thousands+ of machines. This becomes a serious problem if your business model requires users from this block of IP's to access your website in order for you to make profits. 



you need close coordination with your uplinks for this since filtering on
your side won't help much as your links are now congested. rate-limiting and logging can gather you evidence and a long list of address to track down later.
Being in good contact with your service providers, and having a game plan in place in case such an attack occurs is a crucial point of business.
the only one i saw was cisco riverhead but is too pricey for us and even useless if our uplinks have no idea what to do. What i did was to over-specs and re-designed my network 
after attacks.
The cisco riverhead unit is an effective solution, and compare the cost of the unit, against the cost of your application being down for x amount of hours. These devices usually pay for themselves in the end. Dan is correct in stating, that if the attack is larger than your pipe, or your providers pipe, you will be unprotected. Too add to this statement, is the new style of DDoS attacks, are very difficult to detect via these machines (I'm sure in new incarnations of them this support will be added). The attacks that we are seeing these days are seemingly legitimate GET requests, but they come in droves, rapidly and from millions of spoofed addresses. I suggest, when looking for a solution, you find one that will be upgradeable, (via firmware on a appliance, or through a managed service).
Previous By Date Next
Previous By Thread Next

Current thread: