Re: Effective ways to deal with DDoS attacks?

[Avleen Vig <lists-nanog () silverwraith com>]

On Thu, 2 May 2002, Christopher L. Morrow wrote:

> On Thu, 2 May 2002, Avleen Vig wrote:
> > If you're being attacked by a SYN flood, you can ask try to rate-limit the
> > flood at your border (possible on Cisco IOS 12.0 and higher, and probably
> > other routers too?)
> Let me say this one more time... "RATE LIMITS DON'T DO SHIT TO STOP
> ATTACKS" for the victim atleast, all they do is make the job of the
> attacker that much easier.  For instance:
> 1) I synflood www.avleen.org
> 2) you rate-limit syns to 1MB
> 3) I now only flood 1MB and I still win
> So, don't rely on a rate-limit as its not going to help.

Actually it's avleen.com :)
But joking aside you make a valid point. I should have clarified my
statement by saying that I was thinking of the whole network getting
attacked rather than the single host.
Yes, one host may be the target, but when your bandwidth is saturates,
your entire network is effectively offline.
I have seen some 'clever' handling of DoS / DDoS from the attackers front
where they don't often like to waste bandwidth during an attack. If a 1Mb
flood will take you offline, they won't bother using 100Mb. Maybe 2Mb but
not 100Mb :)
This can be a Good Thing(tm) if you're willing to temporarily let one host
suffer so that the rest of your network can stay alive.

> > The only thing you can try and do is work with your upstream provider and
> > try to trace the source of the attacks back, but that's incredibly
> > difficult.
> This depends :) Call us, if you are our customer, and I guarantee that
> someone will be there to resolve your issue, most times in 5 minutes or
> less. Perhaps other ISP's should start having some folks on staff and
> available for these tasks????? (hint, Hint, HINT!!!)

I wish other ISPs would start doing this.