North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: handling ddos attacks
- From: Matt Buford
- Date: Thu May 20 15:14:43 2004
On Thursday, May 20, 2004 2:52 PM, Mark Kent wrote:
> I've been trying to find out what the current BCP is for handling ddos
> attacks. Mostly what I find is material about how to be a good
> net.citizen (we already are), how to tune a kernel to better withstand
> a syn flood, router stuff you can do to protect hosts behind it, how
> to track the attack back to the source, how to determine the nature of
> the traffic, etc.
This depends entirely on your definition of handling. To some people this
means shutting down the victim to save the network as a whole. To others
this means keeping everyone running smoothly, including the victim. The
latter is preferred of course, but it is not for those who aren't willing to
pay for it.
> But I don't care about most of that. I care that a gazillion
> pps are crushing our border routers (7206/npe-g1).
> Other than getting bigger routers, is it still the case that the best
> we can do is identify the target IP (with netflow, for example) and
> have upstreams blackhole it?
It sounds like you're willing to blackhole the victim. In that case, yes,
netflow is highly useful in finding out just who is getting attacked. Once
you have that information, you can either manually contact your upstreams to
have them null route the destination IP, or better yet, arrange ahead of
time for a way to send properly tagged BGP announcements to them to
blackhole /32s anytime you want.
The alternative is to get bigger links, bigger routers, and protect the
host. For bigger links and bigger routers, keep PPS in mind. Some attacks
are large packets and large bandwidth, with low PPS. Other attacks are low
bandwidth, but high PPS. I get hit pretty regularly with 500k-600k PPS of
SYNs. While this only adds up to a few hundred megabits of traffic, that is
a lot of PPS for many routers, firewalls, servers, or whatever else they
might hit. Junipers, for example, have no problem with high PPS.
Second, you have to figure out how to protect the host(s). We've gone with
Riverhead (recently bought by Cisco) and they work quite well. I've seen
attacks as high as around 650k PPS of spoofed SYNs, and the site running on
a single (relatively weak) server remains up and generally unaffected by the