nanog mailing list archives
RE: DDoS attacks
From: Brad <brad () americanisp net>
Date: Thu, 12 Jul 2001 11:54:40 -0600 (MDT)
On Thu, 12 Jul 2001, David Harmelin wrote:
At 08:45 AM 7/12/01 -0700, Roeland Meyer wrote:This is the main point, a script-kiddie hunt, with prosecution, is the ONLY real deterrent. Throw some of them in hotel greybar and remove them from computing, for life, and we may see some of this turn around. If a lady wears skimpy clothing, does she deserve to get raped? Obviously, not. If a computer has skimpy protection, does it deserve to be turned into a zombie? Simply because you forget to lock your car one night (whilst in your driveway), do you deserve to have it stolen? If you leave a $100 on your kitchen table, in your unlocked house, whilst you are working in your garage, do I have the right to sneak in the back door and take it while avoiding prosecution, on the grounds that you were careless? WRT EFFnet, does a prostitute deserve to be raped?By the way, for those who care, there are relatively easy ways to fight DoS attacks: * use netflow and a bunch of scripts to detect them automatically * use BGP to block them on all your border routers instantly, based on destination * use BGP and Unicast RPF to block them on all your border routers instantly, based on source, if you really need to With a combination of all that, you can automatically block any major attack at your border.
Sorry- but after doing all of that, DDoS attacks still saturate even the largest circuits- thus denying the service.
Is it scalable? Yes.
Until the CPU overhead from netflow knocks out the router(s) from a mass-attack.
What about false alarms? We have implemented the detection bit. With a bit of tuning, we get 0.1% of false alarms and yet catch an average of 15 attacks per day, above 500 pkts/s (up to 10000s pkts/s). I wouldnt be surprised if Tier1 networks would catch much more attacks than that, with the same tool. My point: block automatically 99% of the DoS attacks at the top 10 transit providers level, and we may see DoS attacks be a thing of the past. "Kiddies only do it because they can". DH. ___________________________________________________________________ * * David Harmelin Network Engineer * * DANCERT Representative * Francis House * 112 Hills Road Tel +44 1223 302992 * Cambridge CB2 1PQ Fax +44 1223 303005 D A N T E United Kingdom WWW http://www.dante.net ____________________________________________________________________
--- Brad Baker Director: Network Operations American ISP brad () americanisp net +1 303 984 5700 x12 http://www.americanisp.net/ Fortune-- I will always love the false image I had of you.
Current thread:
- Re: DDoS attacks (yum yum, troll food), (continued)
- Re: DDoS attacks (yum yum, troll food) Alex Bligh (Jul 12)
- Re: DDoS attacks Christopher A. Woodfield (Jul 12)
- Re: DDoS attacks Mitch Halmu (Jul 12)
- Re: DDoS attacks Scott Francis (Jul 12)
- Re: DDoS attacks Jim Shankland (Jul 12)
- RE: DDoS attacks Roeland Meyer (Jul 11)
- RE: DDoS attacks Roeland Meyer (Jul 12)
- RE: DDoS attacks Brad (Jul 12)
- Speaking of DDoS attacks Robert Cannon (Jul 12)
- RE: DDoS attacks David Harmelin (Jul 12)
- RE: DDoS attacks Brad (Jul 12)
- RE: DDoS attacks Dan Hollis (Jul 12)
- RE: DDoS attacks Brad (Jul 12)
- RE: DDoS attacks Brad (Jul 12)
- Re: DDoS attacks up (Jul 12)
- Re: DDoS attacks Rafi Sadowsky (Jul 12)
- Re: DDoS attacks Alexei Roudnev (Jul 12)
- RE: DDoS attacks Greg A. Woods (Jul 15)