Re: Effective ways to deal with DDoS attacks?

[Hank Nussbacher <hank () att net il>]

At 12:23 PM 02-05-02 -0400, Richard A Steenbergen wrote:

> Thats what the IP2 does, match bytes in the headers and come back with a
> thumbs down or a thumbs up and a destination interface. It's really not
> that much harder to match the bytes for a dest port against a compiled
> ruleset and decide yes or no then it is to match the dest address against
> a forwarding table and decide which nexthop.

Looking into the IP header is not enough.  In order to filter DDOS packets 
one has to look into the payload as well.  I don't think routers are 
suitable for that level of filtering (think advanced NBAR).

Hank
Consultant
Riverhead Networks (formerly Wanwall Networks)
www.riverhead.com


> They CAN filter on anything in the headers, it's just a matter of
> convincing them that the specific filter you want is something they should
> add to their software language and microcode. I'm sure as a core router
> vendor they must hear every feature request imaginable and not know which
> ones to follow up on. If anyone from Juniper is listening, I can tell you
> 4 things to add which will stop all existing packet kiddie tools in their
> tracks. But then again, I'd rather just have a language for bitmatching at
> any offset. :)
>
> --
> Richard A Steenbergen <ras () e-gerbil net>       http://www.e-gerbil.net/ras
> PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)