Re: Effective ways to deal with DDoS attacks?

["Christopher L. Morrow" <chris () UU NET>]

On Thu, 2 May 2002, Hank Nussbacher wrote:

> At 01:49 AM 02-05-02 +0100, Avleen Vig wrote:
>
> > As time goes by, tools are being developed (in fact they're used now) that
> > completely randomize the TCP or UDP ports attacked, or use a variety of
> > icmp types in the attack.
> > So cuurrently the only way you can 'block' such attacks is to block all
> > packets for the offending protocol as far upstream as you possibly can,
> > but this is not ideal.
> >
> > If you're being attacked by a SYN flood, you can ask try to rate-limit the
> > flood at your border (possible on Cisco IOS 12.0 and higher, and probably
> > other routers too?)
>
> ACLs have been a good tool for the past number of years to stop DOS attacks
> but they suffer one very bad feature - they throw away the good packets
> along with the bad packets.  The same goes for CAR.  The same goes for
> taking a /32 and null routing it.  Consider Amazon being hit with a DDOS
> attack from random spoofed IPs to their web site.  You can't block on
> source IP since it is random.  If you block on destination IP - you end up
> taking Amazon off the network (the ultimate aim of the attacker) at a daily
> revenue loss of over $1M.

So, just filter and track quickly... move the block as far back as you
can. Have the customer remain agile also. :)