nanog mailing list archives
Re: Advanced Countermeasures to prevent a Ddos
From: Hank Nussbacher <hank () att net il>
Date: Fri, 20 Jul 2001 08:27:25 +0200
At 00:22 20/07/01 -0500, Basil Kruglov wrote:
On Fri, Jul 20, 2001 at 07:22:28AM +0200, Hank Nussbacher wrote: > It all hinges on your upstream ISPs. The things to ask for are: > > - SYN and ICMP rate limiting: If you buy a T3 from your upstream, you > should ask that they place on *their* peering routers and on the router > facing you, Cisco rate limits of about 512kb/sec of ICMP and about > 128kb/sec of SYNs. Pay extra if need be. 512Kbps for ICMP? I'd go for 128Kbps if not less.
YMMV. It all depends on how big a pipe you use. The numbers are examples and each site would have to determine what number works best for them.
TCP/SYN - 128Kbps ? ;) 128Kbps is way too easy... do it per hot box/ip. It will take just one or two modems to take you down, as an example someone portscanning your network. Ask for hot [potential] targets only: ircd, shell systems, router interfaces. Do it per box, plus same rules for all of your router interfaces heading the big bad 'Net. Just make sure you have a proper deny ACL not to rate-limit BGP traffic during life attack. Before placing something permanent you need to adjust and play with this.> - anti-spoofing: require your upstream ISPs to implement full anti-spoofing> for incoming packets. That includes RFC1918, unassigned IANA blocks and > (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco > ip verify unicast reverse-path) Sounds good. check 'ip verify unicast source reachable-via any' as well http://www.cisco.com/public/cons/isp/documents/uRPF_Enhancement.pdf new uRPF works if you're multihomed too.> - BGP community: Your upstream should allow you to announce a BGP community > for any sub-prefix in your IP block (meaning he has to not be strict in the> length of the prefix you announce to him since it can change dynamically) > that will me ROUTENULL, which means they eat the packets for you. Sounds good.. too good to be true. Any Tier1 or "Tier1.5" does this? ;) > Find 2 upstreams who will agree to the above 3 items and you are 99% safe > from dDoS. And I can still take you down with 1. tcp fin 2. tcp psh 3. tcp rst 4. tcp ack 5. tcp urg 6. tcp frags 7. udp 8. ip frags I don't know but somewhy I doubt you'll find an upstream to do ~10 rate-limits per your hot stuff and another ~10 for router interfaces. If you do manage to get this setup from upstream you'll be somewhat "99% safe from dDoS". Kids
I would be happy with even 90%. Life is never 100% - just a continuing stream of compromises.
-Hank
can and most likely will find a hole to take you down, just takes time. -Basil
Current thread:
- Advanced Countermeasures to prevent a Ddos Scott E. MacKenzie (Jul 19)
- <Possible follow-ups>
- Re: Advanced Countermeasures to prevent a Ddos Hank Nussbacher (Jul 19)
- Re: Advanced Countermeasures to prevent a Ddos Christopher L. Morrow (Jul 19)
- Re: Advanced Countermeasures to prevent a Ddos Basil Kruglov (Jul 19)
- Re: Advanced Countermeasures to prevent a Ddos Hank Nussbacher (Jul 19)