Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DDos syn attack

  • From: Christopher L. Morrow
  • Date: Mon Dec 30 10:33:29 2002


On 30 Dec 2002, Mike Hyde wrote:

>
> Just wondering how people have delt with DDOS syn attacks on port 80 of
> a customers server?  We had an attack a couple of days ago, and it

1) acl the traffic (Stop immediate pain)
2) blackhole ip in question
3) track via: http://www.secsup.org/Tracking/ to ingress points on your
network
4) acl traffic inbound there
5) remove blackhole and acl toward customer

Finish in ~10 mins... customer is back online and happy.

> overwelmed both the customers firewall and, when we tried to turn up
> filtering on a 7600 cisco router, the router also.  We ended up having
> the customer change his IP for the site under attack.  We were lucky in
> that the attack was against an IP and not the DNS name.
> --

This is also a very viable solution, provided the customer has provisioned
for this with lower ttls on their DNS records, which ALOT of people
(thankfully) don't do... also, sometimes customers don't know how to do
this, eh? :(





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.