Does anyone have a list of which ISPs are willing to filter ICMP packets
for you when your network is being (D)DoS'd, and which prefer to simply
blackhole / disconnect you, and which will do absolutely nothing??
I'm finding it hard to gather this information and it occured to me that
this is an obvious factor when choosing an ISP!
Thanks,
Filtering ICMP packets in DDoS attacks just makes the attacker attack
harder. It's not a useful strategy except when protecting very slow links
(T1 to 10Mbps) against very light attacks (32Mbps or less). The last few
DDoS attacks I've tried to filter have resulted in attacks so significant
there was nothing you could do at all. You will prompt a series of
escalations this way.
One new trick if the attacker can spoof is to take out a server on port 123
for IP 1.2.3.4 by swamping you with spoofed TCP SYN packets to that IP and
port. The source IPs tend to be chosen from areas rich in major government
and military sites. Filter them and the server is offline. Reply to them,
and you are flooding thousands of innocent victims (with powerful response
tactics) with unsolicited SYN ACK replies.
If the attacker can't spoof, the sources are usually tracked and shutdown.
Filtering just makes it so that you can't do the tracking and shutting down.
So what's the good?
Perhaps other people's experiences differ from mine.
DS
There are two kinds of icmp. The kind you absolutely need and the kind you
don't. If you are running a service that is likely to get attention
(dunno, an irc server or not universally liked content), you will want to
filter the kind you do no don't absolutely need by default.
Not that this helps you in any way, DoS attacks rarely use icmp these
days. Lots of 'valid' packets is the keyword today. If you are being
hammered by tcp packets on port 80 of your webserver, there is very little
you can do but filter _real_ traffic. If it's a DDoS, being able to
distinguish real traffic from the DoS-attack is going to be a pain. You
will not find many providers who want to dig this deep at this point in
time. Best service you can get to keep the rest of your network from
falling down because of that one host is then to get it blackholed
upstream.
In the current atmosphere, the only real protection you can buy against
Denial-of-Service attacks is by distributing your service. If you are
distributed and they are distributed, the odds are better; You can
sacrifice a host under attack without losing service.
Hope that helps,
Pi
Does anyone have a list of which ISPs are willing to filter ICMP packets
for you when your network is being (D)DoS'd, and which prefer to simply
blackhole / disconnect you, and which will do absolutely nothing??
IMHO the best protection you can get from ICMP flooding is a permanent
rate-limit on your upstream router to something between 1-5 % of the line
capacity - You won't feel it unless you have a DoS attack and then it
kicks automagically
NOTE: depending on your "normal" traffic you want to rate limit UDP
to something between say 20-50 % of line capacity
- Rafi