RE: DDoS attacks

[Brad <brad () americanisp net>]

On Thu, 12 Jul 2001, David Harmelin wrote:

> At 08:45 AM 7/12/01 -0700, Roeland Meyer wrote:
>
> > This is the main point, a script-kiddie hunt, with prosecution, is the ONLY
> > real deterrent. Throw some of them in hotel greybar and remove them from
> > computing, for life, and we may see some of this turn around.
> >
> > If a lady wears skimpy clothing, does she deserve to get raped? Obviously,
> > not. If a computer has skimpy protection, does it deserve to be turned into
> > a zombie? Simply because you forget to lock your car one night (whilst in
> > your driveway), do you deserve to have it stolen? If you leave a $100 on
> > your kitchen table, in your unlocked house, whilst you are working in your
> > garage, do I have the right to sneak in the back door and take it while
> > avoiding prosecution, on the grounds that you were careless? WRT EFFnet,
> > does a prostitute deserve to be raped?
>
>
>
> By the way, for those who care, there are relatively easy ways to fight DoS attacks:
> * use netflow and a bunch of scripts to detect them automatically
> * use BGP to block them on all your border routers instantly, based on destination
> * use BGP and Unicast RPF to block them on all your border routers instantly, based on source, if you really need to
>
> With a combination of all that, you can automatically block any major attack at your border.

Sorry- but after doing all of that, DDoS attacks still
saturate even the largest circuits- thus denying the
service.

> Is it scalable? Yes.

Until the CPU overhead from netflow knocks out the
router(s) from a mass-attack.

> What about false alarms? We have implemented the detection bit.
> With a bit of tuning, we get 0.1% of false alarms and yet catch an average of 15 attacks per day, above 500 pkts/s 
> (up to 10000s pkts/s).
> I wouldnt be surprised if Tier1 networks would catch much more attacks than that, with the same tool.
>
>
> My point: block automatically 99% of the DoS attacks at the top 10 transit providers level, and we may see DoS 
> attacks be a thing of the past.
> "Kiddies only do it because they can".
>
> DH.
>
> ___________________________________________________________________
>              * *         David Harmelin       Network Engineer
>            *     *                            DANCERT Representative
>           *              Francis House
>          *               112 Hills Road       Tel +44 1223 302992
>          *               Cambridge CB2 1PQ    Fax +44 1223 303005
>       D  A  N  T  E      United Kingdom       WWW http://www.dante.net
> ____________________________________________________________________


---
Brad Baker
Director: Network Operations
American ISP
brad () americanisp net
+1 303 984 5700 x12
http://www.americanisp.net/

Fortune--
I will always love the false image I had of you.