nanog mailing list archives
Re: Impending (mydoom) DOS attack
From: Phillip Grasso <grasso () magna com au>
Date: Sat, 31 Jan 2004 17:04:32 +1100 (EST)
I've implemented a means of distributing the www.sco.com/32 or any other DDoS destination network block around my own AS and blocking it by routing to null on the edge routers. no need to update heaps of routers at the edge and when the attack its over simple to restore connectivity to DDoS destination. Basically. (relies on having BGP on all edge routers). Advertise the destination that is getting DDoS etc in BGP as a longer prefix (if it's more then a /32 make sure you think about load balanced servers, block the range). Set next-hop to RFC1918 address (assuming you route it to null on the edge routers). Make sure you filter the routes out to your ebgp neighbors besides they really shouldn't be accepting /32's anyway right? ;). Benefit is that any DDoS traffic will be dropped at edge, (keeping core happy, and upstream/wan/peer links low :) ). disadvantage, zero connectivity to that blocked destination. (Otherwise you could always play with some table-map function and do some fancy rate-limit base policies via BGP distribution with specific community string). Regards Phillip On Fri, 30 Jan 2004, bcm wrote:
Is anyone taking any special precautions given the potential for a sudden increase in aggregate packets per second across your networks come Sunday afternoon when the original Mydoom virus enters into its DOS phase? Does anyone know if the virus' assault will be slowed if it is unable to reach www.sco.com? I am hoping that if it cannot reach SCO's site that the HTTP GET command will be slow in returning, effectively reducing the volume of traffic a single PC is capable is generating. I am having a difficult time artificially forcing the virus to start its attack in a lab environment, so I am unable to confirm this. Any input would be appreciated. Thanks!
Current thread:
- Lack of Info (was Re: Impending (mydoom) DOS attack), (continued)
- Lack of Info (was Re: Impending (mydoom) DOS attack) Sean Donelan (Jan 30)
- Re: Impending (mydoom) DOS attack Mike Tancsa (Jan 30)
- MyDoom statistics (was Re: Impending (mydoom) DOS attack) Sean Donelan (Jan 30)
- Re: Impending (mydoom) DOS attack Donovan Hill (Jan 30)
- Re: Impending (mydoom) DOS attack Leo Bicknell (Jan 30)
- Re: Impending (mydoom) DOS attack Laurence F. Sheldon, Jr. (Jan 30)
- Re: Impending (mydoom) DOS attack Donovan Hill (Jan 30)
- Re: Impending (mydoom) DOS attack Stephen J. Wilcox (Jan 31)
- Re: Impending (mydoom) DOS attack Valdis . Kletnieks (Jan 31)
- Re: Impending (mydoom) DOS attack Laurence F. Sheldon, Jr. (Jan 31)
- Re: Impending (mydoom) DOS attack Leo Bicknell (Jan 30)
- Re: Impending (mydoom) DOS attack Mikael Abrahamsson (Jan 30)