Re: mitigating ddos attacks

["tito.basa" <mochafrap () mix ph>]

Dan Duplito wrote:

> hi, guys. my apologies for the cross-post and if this topic was already posted before in this list...
>
> i've been googling around for anti-ddos solutions/appliances and would just like to get inputs from gurus here who 
> already have an idea or have implemented real-world anti-ddos systems in their own network.
>  
this is not a  solution but an incident-response one :)

what i know for large ISPs is to use various tools to detect the 
attacked and also the attackers.
I used to work for a telco/isp and i've encountered DoS/DDoS so many times.

I my case a baseline of normal network/system performance is stored 
using MRTG
and network monitoring tools

when one client or a network link is found to be misbehaving, i'd scan for
abnormal traffic, logs in firewalls/routers, or my favorite netflow 
(from cisco)

there i can get the source/destination address of the attack.
once determined, i'd either
null route
filter with ACLS (after tracing back to my network edge)
rate-limit

in most cases, i'd contact my upstreams to block the source and traceback.
Problem is not all my uplinks can respond to my call, so having the 
ability to
re-route traffic to a single link (if availale) through BGP and asking just
one uplink to do trace/block it (some problem iis when addresses
are spoofed)

you need close coordination with your uplinks for this since filtering on
your side won't help much as your links are now congested. rate-limiting and
logging can gather you evidence and a long list of address to track down 
later.

there is (used to be?) a clandestine mailing list of network operators 
on which i used to be
part of who acts on this stopping DDOS on a network level on procedures
i described above. I'm no longer part of it though but they require
a vouching process for members to make sure no bad apples are there.

> i understand an anti-ddos appliance is not enough, but just the same, are these appliances worth it on their own (as 
> opposed to load-balancing or scaling-out solutions)? what other technologies do i need to implement/know to mitigate 
> such attacks?
the only one i saw was cisco riverhead but is too pricey for us and even 
useless if
our uplinks have no idea what to do. What i did was to over-specs and 
re-designed my network
after attacks.

look at these for some idea:

http://www.cymru.com/Documents/dos-and-vip.html
http://www.cymru.com/Documents/tracking-spoofed.html

ayos ba?

:)

tito