nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Effective ways to deal with DDoS attacks?

From: "Christopher L. Morrow" <chris () UU NET>
Date: Thu, 2 May 2002 04:33:13 +0000 (GMT)



On Wed, 1 May 2002 measl () mfn org wrote:



True DDoS attacks, fortunately, are rarer than most people believe.  If they
were not, the Internet as we know it would look a lot more like a telephone
system in USSR-at-it's-worst-days.  For example, of the two recent DDoS's I
have been on the receiving end of, the first was generating a little over
300mbit/sec (steady for a prolonged time), and the second went over that by a
fair bit.  In both cases, we had core equipment (M20's and BSN5000's) fall
over and die trying to "work" the events.  Additionally, our upstream peers


Your M20 tipped over?? What were you doing? We regularly stop large
(+100Mb->800Mb) attacks with less horsepower than this. Truthfully, a
cisco is even capable of filtering (done right) at +200kpps...


also had core equipment fall over, and we all came the [now obvious]
conclusion that the only way to stop these attacks was to completely null
route ourselves at our upstreams (they tried filter-fishing for specific data
which may have helped our investigation, but when their routers started
wheezing, we gave them the OK to just send us straight into the bit bucket
till it was over...



Hmm, this highlights the need to learn how to use the equipment, learn its
boundaries and learn defenses inside these boundaries...

-Chris
Previous By Date Next
Previous By Thread Next

Current thread: