Re: Effective ways to deal with DDoS attacks?

["Christopher L. Morrow" <chris () UU NET>]

On Wed, 1 May 2002, Pete Kruckenberg wrote:

> On Thu, 2 May 2002, Christopher L. Morrow wrote:
>
> > Funny, you say 'secured' here...
> >
> > > These are not zombies. They are secured, uncompromised Web
> > > servers. The attack spoofs the target address as the source,
> [snip]
> > and here you say: "printers and routers" Since when did
> > they need to be accessible off campus? Additionally, why
> > does a router need a web interface?? Printers are on the
> > cusp, but they certainly don't need to be accesible from
> > out of your LAN.
>
> More clarification needed. We are not a campus network. We
> are a state-wide research/education network, as in we are
> the service provider to the various K-12 and higher-ed
> institutions in the state (there is a network, not a
> purchasing cooperative like many other state "networks").

This does complicate things, what about adding in some security provisions
to your 'contract' ?? Or providing managed firewall services? Or better
yet, reselling managed firewall services to your customers? :) There are
ways, most times it just comes down to people at the far end not knowing
enough to protect themselves, or not having the man power to fix it :(

> We are large in the sense that there are some 1,000 end
> sites (each comparable in size to a mid- to large-size
> enterprise) and a network that looks like many national
> networks, but condensed into a single state. We tend to
> design and operate our network, and experience problems
> similar to a national-scale network.
>
> Like almost every other service provider, we do not have the
> luxury of simply putting a firewall at the border of our
> network, since we do not have the ability to enforce
> security policies any more than other service providers do.
> We also have the ability to suggest security policy and
> block hosts or networks that interfere with network
> operations, but it's not our business whether someone uses a
> Web interface to their printer or router any more than it's
> UUNet's business.

Agreed, which is why we have resale and managed firewall businesses, so
the customer can say what their security policy should be.

> We do have a fairly aggressive security group that
> identifies compromised machines and assists customers in
> properly securing them. We can be fairly certain that the
> way these hosts are responding to this DoS attack is not as
> a result of being compromised, but a "normal" IP stack
> implementation.

'normal' to something that really has no business being accessible ;( but
I agree with your point.

> As such, though we are a state education service provider,
> it seems that these kinds of attacks are most likely
> pervasive on all networks, and probably are going on all the
> time. One advantage we have is a close relationship with our
> customers, which allows us to use tools such as IDS and
> Netflow in conjunction with information about the customer
> implementation to identify what is a bonafide attack.