Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Advanced Countermeasures to prevent a Ddos

  • From: Hank Nussbacher
  • Date: Fri Jul 20 00:27:11 2001


At 16:38 19/07/01 -0400, you wrote:

It all hinges on your upstream ISPs. The things to ask for are:

- SYN and ICMP rate limiting: If you buy a T3 from your upstream, you should ask that they place on *their* peering routers and on the router facing you, Cisco rate limits of about 512kb/sec of ICMP and about 128kb/sec of SYNs. Pay extra if need be.
- anti-spoofing: require your upstream ISPs to implement full anti-spoofing for incoming packets. That includes RFC1918, unassigned IANA blocks and (as a minimum) IP anti-spoofing on all single-homed customer links (Cisco ip verify unicast reverse-path)
- BGP community: Your upstream should allow you to announce a BGP community for any sub-prefix in your IP block (meaning he has to not be strict in the length of the prefix you announce to him since it can change dynamically) that will me ROUTENULL, which means they eat the packets for you.

Find 2 upstreams who will agree to the above 3 items and you are 99% safe from dDoS.

-Hank


I was wondering if anyone on this list has considered the idea of trying to
eliminate Ddos attacks while designing their Data Centre's network topology.
If so, did you include server isolation and or distribution?

Secondly, is it even possible to eliminate (or as close to elimination as
one can have in the tech world) Ddos attacks with network design and server
implementation.  Does anyone have an advanced understanding of these issues
and if so are you willing to exchange information off-line?


Scott E. MacKenzie
semackenzie@crop.attcanada.ca





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.