Re: Effective ways to deal with DDoS attacks?

[Richard A Steenbergen <ras () e-gerbil net>]

On Wed, May 01, 2002 at 08:56:16PM -0600, Pete Kruckenberg wrote:
> Sorry, I should have been more clear. 
>
> My issue (currently)  is not being the target of the DDoS
> attack, but being a (unwilling) participant. People outside
> our network are launching DDoS attacks (distributed SYN
> floods) against destinations outside our network, using
> about 8,000 Web server hosts on our network as reflectors.

Neat, and totally not what people expect when you say "victim of a DDoS 
attack".

> These are not zombies. They are secured, uncompromised Web servers. The
> attack spoofs the target address as the source, and one of our machines
> as a destination, port 80. Getting everyone to implement defenses (SYN
> cookies) on their Web servers is nearly impossible (most don't even have
> a defense--printers and routers with Web interfaces).

Thats not a defense anyways, SYN cookies still send replies (which is what 
the attacker wants), they just don't store state information (which is 
probably not an issue anyways, unless their stack is REALLY bad or old 
it's probably not going to care that much).

> SYN packet comes in, one of these machines responses with a
> RST to the "source", which is actually the target of the
> attack. Unfortunately, the target is often a site that
> people would like to get to, as is the reflector, so
> permanent filters on the target or reflector create lots of
> complaints.

You have an interesting situation. I think rate limiting outbound RSTs 
would be the least offensive thing you could do, off the top of my head.

-- 
Richard A Steenbergen <ras () e-gerbil net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)