Growing DoS attacks

Most dDoS we see are udp floods with tiny packets, if not
all that have any noticeable effects. In fact we haven't
seen a single one that wasn't packets <70bytes, so we monitor
average packet size as a DoS alert.

Rate limiting might work to prevent your dDoS participants
from hurting your neighbors, but maybe not even that.
1.5Mb of syn, icmp, or udp from your net and 100 others
will bring many folks down including me. Rate limiting does
nothing to protect your own net from the outside.

For example, if I rate limit an external T3,
that does no good if the T3 is being soaked from the
other end, that T3 is effectively down. What it takes to soak
an external T3 would be noise to the folks from whom I get the T3
(or they shouldn't be selling me a T3). Usually, "soaked" is
with pps and the total bandwidth in use drops dramatically.
So rate limiting at so-called "tier 1" is maybe going to help
folks at tier 2 and 3, but not at tier 1, and likewise down
the line.

We can encourage customers to keep patched.
We can offer to security scan them. We can firewall them
(we firewall all our dsl residential and most dsl biz customers).
But we can't make them completely secure and thus harmless.
We can only pull the plug once they get hacked and start


I beleive that other vendors (Juniper for example) can
also do the same stuff I was suggesting at the rates without
concerns over which engine linecard supports what.

  I am not trying to advocate a specific vendor over another
just that if this is a major concern you can protect your network
at the ingress/egress points with such software features.

  If netflow is more important than this that is a
eng/business case that each person obviuosly needs to address.

  - jared

Hey Spale :slight_smile:

If you run an well dDoS'ed IRC Server on your network I have a solution for
you... not the best one, but still technically working..

get a /24 (be carefull that there is no bigger network announced which would
include it!!! i mean like if you get 10.10.10/24, 10/8 would include it)

For those of you who don't really get the picture here, here is a real
life example:

My boss hosts the proxyscanner for the Undernet IRC network. For kiddies,
this means they are unable to load floodnets onto the Undernet. This makes
it a sitting ddos target. Fortunately, no real DDoS have taken place (just
a few in december of about 10mbit/s each) but in case they do, I just stop
announcing to my uplinks. This netblock was requested and
assigned specially for the IRC service. No, it's not a waste of IP space,
we host other "ddos sensitive" stuff in there too.

The fact that most DDoS attacks are IRC related imho points out with the
kind of people we are dealing with. Young kids who's ego is bigger then
their ability to take a step back from someone who calls them names on a
channel they are visiting.

Get a box, and run Zebra BGPD, which will announce that /24 to your network.
Then do a script which monitors the traffic to the irc server, and on a
certain threshold, kill BGPD. wait a certain time, like 15minutes or so, and
restart BGPD. It would be nice to check the traffic every minute and if 2
consecutive checks are positive kill bgpd. That mean that you may be able
to STOP dDoS to irc servers within 2-3 minutes...

This is a method I personally don't use; this would mean a lot of route
flapping/dampening. If a ddos lasts that long I just stop the
announcements for at least 24 hrs.

On a side note, it is of course a shame that site administrators have to
take measures going as far as requesting PI ip space from RIPE (or ARIN,
whatever you prefer) in order to protect their networks against DDoS
attacks by young people who probably don't have the slightest idea what
they are doing.