nanog mailing list archives

Re: handling ddos attacks

From: "P.Schroebel" <crossfire () smsonline net>
Date: Thu, 20 May 2004 22:04:58 -0400



----- Original Message ----- 
From: "Paul Vixie" <vixie () vix com>
To: <nanog () merit edu>
Sent: Thursday, May 20, 2004 9:48 PM
Subject: Re: handling ddos attacks


mark () noc mainstreet net (Mark Kent) writes:

I've been trying to find out what the current BCP is for handling ddos
attacks.  Mostly what I find is material about ...  But I don't care
about most of that.  I care that a gazillion pps are crushing our border
routers (7206/npe-g1).

Other than getting bigger routers, is it still the case that the best
we can do is identify the target IP (with netflow, for example) and
have upstreams blackhole it?


that seems hardly worthwhile.  ddos is astonishingly easier to launch than
to defend against.  if you stop a flow the attacker *might* get bored and
decide to do something else, but they could also decide to attack you from
a different direction, or wait two days and do it all over again, and

every

time they attack and you defend it's 10 minutes of their time and 10 hours
of yours.

far better to involve law enforcement and get some bad guys arrested, if
you possibly can.  this changes your costs from 10 hours to 15 hours but

it

actually puts some chips on the table and makes the game worthwhile.
-- 
Paul Vixie


Hey Paul !

Ok, I 'll buy that right now; we have a DDoS Attack on our core nameservers
from 66.165.10.24. Where do we start, do I call the police in Bellingham or
Washington State Police. We have blocked their ips but, we know they will
come in another way.

Peter

OrgName:    Western Washington University
OrgID:      WWU
Address:    Computer Center
Address:     516 High Street
City:       Bellingham
StateProv:  WA
PostalCode: 98225
Country:    US

NetRange:   66.165.0.0 - 66.165.31.255
CIDR:       66.165.0.0/19
NetName:    WWU-RESIDENT-1
NetHandle:  NET-66-165-0-0-2
Parent:     NET-66-165-0-0-1
NetType:    Reassigned
NameServer: VIKING.WWU.EDU
NameServer: HENSON.CC.WWU.EDU
Comment:
RegDate:    2002-08-15
Updated:    2002-08-15

TechHandle: JSW12-ARIN
TechName:   Williams, J. Scott
TechPhone:  +1-360-650-2868
TechEmail:  scott () cc wwu edu

Current thread:

Re: handling ddos attacks, (continued)
- Re: handling ddos attacks Wayne E. Bouchard (May 20)
  - Re: handling ddos attacks Hank Nussbacher (May 20)
- Re: handling ddos attacks Jared Mauch (May 20)
  - Re: handling ddos attacks Vincent Gillet - Opentransit (May 20)
- Re: handling ddos attacks Matt Buford (May 20)
- Re: handling ddos attacks Rachael Treu-Gomes (May 20)
- Re: [NANOG-LIST] handling ddos attacks Brent Van Dussen (May 20)
- Re: handling ddos attacks Steve Gibbard (May 20)
- Re: handling ddos attacks Danny McPherson (May 20)
- Re: handling ddos attacks Paul Vixie (May 20)
  - Re: handling ddos attacks P.Schroebel (May 20)
    - Re: handling ddos attacks Tim Wilde (May 20)
    - Re: handling ddos attacks Danny McPherson (May 20)
    - Re: handling ddos attacks Paul Vixie (May 20)
    - Re: handling ddos attacks Scott Weeks (May 21)
    - Re: handling ddos attacks Richard Cox (May 21)
    - Re: handling ddos attacks Valdis . Kletnieks (May 21)