Firewall Wizards mailing list archives
RE: DDOS Countermeasures RFC
From: "Kalat, Andrew (ISS Atlanta)" <akalat () iss net>
Date: Mon, 29 Jan 2001 22:04:26 -0500
I hate to be cynical, but... In my <admittedly limited> thoughts on this, there's appears to be only about two decently effective ways to fight a DDoS, or even a large DOS, in progress. 1) Have your ISP react quickly. Good luck. 2) Switch IP space on whatever is being attacked. Again, good luck. Depending on what's being attacked, this can be impossible. And this takes a good amount of advance planning and preparation and still causes down time as your DNS changes propogate. Assuming your DNS is still reachable. Not only that, you'll need to stop routing the original address space at the ISP. IE, stop your BGP propogation if you own you're own address space and have two ASN's. However, with a NAT device, and quick DNS, this might be possible without too much pain. If they are hitting web sites for instance... Once your pipe is filled, nothing else works well... I've read a few of the idea's kicked around and most of them seem way to relient on cooperative ISP's or upgrades to the protocols. Just doesn't seem too likely to have anything realistic anytime soon, but I hope I'm wrong. Andrew Kalat IT Infrastructure Manager ISS Thoughts are my own, not my employeers, and most likely wrong. ;)
-----Original Message----- From: kstephe6 () csc com [mailto:kstephe6 () csc com] Sent: Monday, January 29, 2001 5:01 PM To: Karl Wolfgang Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] DDOS Countermeasures RFC Advanced Countermeasures will come as the technology evolves. For now the basic game plan is to avoid the one network space problem that got MSN last week. Make sure the egress and ingress filtering is correctly configured. Design multiple ISP services for your sites so you are at least serving DNS and Web from multiple IP address spaces. Distribute your static DNS servers in different locations than your dynamic Web DNS (load balanced/high availability DNS Servers/web switches). They do not all need to be on the same IP address space. Also watch your intrusion systems and logs for pre-attack traffic. I have almost always found mini-attacks as the bad guys test their zombies before the massive attacks hit. Ken Stephens, CISSP Sr. Security Manager Computer Sciences Corp _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- DDOS Countermeasures RFC Karl Wolfgang (Jan 29)
- Re: DDOS Countermeasures RFC Marcus J. Ranum (Jan 29)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 30)
- Re: DDOS Countermeasures RFC Eric Vyncke (Jan 31)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 30)
- <Possible follow-ups>
- Re: DDOS Countermeasures RFC kstephe6 (Jan 29)
- RE: DDOS Countermeasures RFC Kalat, Andrew (ISS Atlanta) (Jan 30)
- RE: DDOS Countermeasures RFC Scott Vowels (Jan 31)
- Re: DDOS Countermeasures RFC jan (Jan 31)
- Re: DDOS Countermeasures RFC Marcus J. Ranum (Jan 29)