Re: Proactive steps to prevent DDOS?

[Dave Curado <davec () weezel net>]

> > Help me, what proactive steps can I take to protect my network from a DDOS?
 
> There isn't a lot that can be done, but there are a few steps you can 
> take to "get ready" for a DDOS attack.
>
>    --Make sure you have monitoring of your routers or firewalls in place
>      so you'll get an early alert of a possible DOS attack. This will at
>      least allow you to start working on the problem (and drafting
>      press releases :-).

I would add careful use of some rate-limiting functionality, 
(already mentioned in Richard Steenbergen's http://www.e-gerbil.net/ras/dos.txt)
so you can rate-limit things like icmp and acks numbered 0 and anything
else that show themselves to be obvious candidates over time.

As well, for us, part of "being ready" is knowing how to:
 - deploy rate-limiters (so you're not trying to learn it during an attack)
 - having ways to identify the target(s) of the attack -- predefined
   ACLs that are not applied but can be, to help determine the target(s),
   rmon probes, working knowledge of tcpdump or network sniffers, etc.

i.e. deploy ACLs on egress routers that can be enabled when an attack begins.  
A set of carefully defined filters can help determine information about the 
attack -- perhaps the src or dst or ports, or the fact that it's all random.  
Then ACLs to block or rate-limit can be built and applied, and/or if you're 
asking your upstream to take actions to help you, you can help them help you 
if you have information about the nature of the attack.

Granted it's a blunt instrument, but it has worked for me in the past
when an attack has rendered better tools useless.  

>    --Talk to all of your up stream providers so you know how to contact and
>      work with them if they are a source of a DOS attack against you. If your
>      up stream provider isn't willing to work with you on this, start the
>      process of getting a new up stream provider.

>    --Look into the systems that are being developed and starting to become
>      available that help automate the work to diagnose DDOS attacks.
>      Encourage your up streams to do the same.
>
>    --Make sure you have in place the filtering on your own networks that you
>      wish everyone else had in place on their networks.  This won't protect
>      you from being attacked, but it will prevent you and your users from
>      attacking others (or at least using spoofed IP addresses to do so), and
>      that in turn may prevent you from being the target of a retaliatory DOS
>      attack. It can also prevent or limit the spread of a DOS attack that
>      originates within your network or from someone down stream. From your
>      customer's point of view there may not be much difference between
>      you being the source of or the target of a DOS attack--either way
>      performance is likely to be poor and customers are likely to be unhappy.
>
>    -Jeff Ogden
>     Merit