Re: Proactive steps to prevent DDOS?

["Richard A. Steenbergen" <ras () e-gerbil net>]

On Sun, Jan 28, 2001 at 11:45:03AM -0800, Jason Legate wrote:
> > I would add careful use of some rate-limiting
> > functionality,
> > (already mentioned in Richard Steenbergen's
> > http://www.e-gerbil.net/ras/dos.txt)
> > so you can rate-limit things like icmp and acks
> > numbered 0 and anything
> > else that show themselves to be obvious candidates
> > over time.
>
> In actuality, in a TCP SYN packet, an ack of 0 is very
> common.  If you view legitimate syn's generated by
> real stacks, you will see at dword offset 7:
> 0x00000000.
>
> Last time I checked, this was a 0 for all intents and
> purposes.  By rate-limiting acks of 0, you are
> rate-limiting most syn packets, which I don't think is
> the ultimate goal.

Jason don't be silly, obviously if the SYN bit is set its not an ACK
flood. This is just an example of predictable misbehavior which can
usually be identified in any kiddie attack (TH_ACK and ack field 0 in the
case of stream). But you should know this... :P

An attacker can always change their tactics and manage to throw out
packets which can slip past a filter ruleset. Rate-limits are only useful
for a) protecting the surrounding network not necessarily the target, b)  
when the traffic you are rate-limiting is desired but not absolutily
necessary under attack conditions (ex: icmp echo-replies are valued but
during a smurf you can live without them), or c) when you have carefully
engineered seperate rate-limit buckets so that an attacker targetting one
service may not disturb another. Other steps must be taken in conjunction,
and rate-limiting is only one small tool in the arsenal.

-- 
Richard A Steenbergen <ras () e-gerbil net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)