Ok, Yahoo, Ebay, Amazon and Microsoft have all made essentially the
same statement after being hit by a DDOS: "taken steps to
improve protection of their networks from this type of attack."
My question is What are these steps, and why can't people take them
before they experience a DDOS?
Is there some magic command I can put into my router to help protect
my network from a DDOS, or is this just PR fluff to make it look like
the corporation is doing something. But in reality there is nothing
you can do, but wait for the attacker to get bored and stop on their
own.
Ok, Yahoo, Ebay, Amazon and Microsoft have all made essentially the
same statement after being hit by a DDOS: "taken steps to
improve protection of their networks from this type of attack."
My question is What are these steps, and why can't people take them
before they experience a DDOS?
Is there some magic command I can put into my router to help protect
my network from a DDOS, or is this just PR fluff to make it look like
the corporation is doing something.
How aobut neither?
But in reality there is nothing you can do, but wait for the
attacker to get bored and stop on their own.
This is the "state a fact that might be wrong to poll for dissent," approach?
Some people have, or are working on, automated tools that try to
detect-and-then-filter-at-the-border DDOS attacks when they happen.
This is something to do that is not useless PR fluff that is not a magic
command.
--jhawk
Closest command I've found is "no ip routing" in IOS, or "delete
family inet [...]" in JunOS.
That aside, there's something very basic that few people seem to
realize -- if you have no route to a destination, you can't initiate a
DDoS attack against it.
What's to prevent high-visibility shell/IRC/web/etc servers (read:
DDoS targets) from announcing their netblocks to their upstreams, and
then withdrawing these announcements -- either manually, or
automagically, using scripts monitoring rate limiting and pkt/sec
thresholds, amongst other things -- when under attack. Sure, that
would result in temporary loss of connectivity to said host, but
sometimes, that's the quickest way to stop a large attack.
This doesn't need to be a costly endeavor. Zebra is perfectly stable
when receiving no routes, and announcing a couple of networks at the
most. You'll find that lots of folks who have legacy class C (or B
even!) and AS number assignments they're not currently using, dating
back to before the ARIN charged for such things, are more than willing
to transfer/lend them to you when you ask politely. Don't believe me?
Try it sometime.
-adam
What's to prevent high-visibility shell/IRC/web/etc servers (read:
DDoS targets) from announcing their netblocks to their upstreams, and
Read: DDoS targets which bring no cash revenue, essentially loss-leaders.
That doesn't quite work when ebay.com is being DDoSed (uh, guys, we
fixed the problem, you can now browse, but, sorry, we withdrew the route
to our production server to accomplish that).
This doesn't need to be a costly endeavor. Zebra is perfectly stable
when receiving no routes, and announcing a couple of networks at the
most. You'll find that lots of folks who have legacy class C (or B
even!) and AS number assignments they're not currently using, dating
back to before the ARIN charged for such things, are more than willing
to transfer/lend them to you when you ask politely. Don't believe me?
Try it sometime.
Tried that, didn't have much luck. Possibly, eventually, when we'll have
clearinghouse for IPs, and most likely old swamp IPs would have far higher
valuations than just regular PI netblocks...
-alex
http://www.e-gerbil.net/ras/dos.txt
This is useful, and would make for an interesting NANOG presentation.
Read: DDoS targets which bring no cash revenue, essentially
loss-leaders.
You'd be surprised much much publicity (and in turn, legitimate
business) hosting an IRC server has brought various providers. But
that's beyond the scope of this discussion.
That doesn't quite work when ebay.com is being DDoSed [...]
Nope, nor is it really intended to.
What it will do is, help protect smaller hosts/networks targeted by
less determined DDoS kiddies -- the type who'll realize "d'oh, I can't
reach this anymore!" and move on to to their next target. And if
nothing else, it will protect smaller people w/ 95% burstable pipes,
whose upstreams aren't willing lend a hand when they're under attack,
from having their monthly bandwidth bills skyrocket.
-adam