Most are suggestions for what other networks can do to prevent them from
being a source of a DDOS attack. There is less help for what the target
of a DDOS can do.
Unfortunately, the current draft document for the Center for Internet Security
(www.cisecurity.org) Solaris security checklist suffers from the same problem.
It mandates RFC2644 broadcasts, RFC1918 martian and RFC2827 egress filtering,
but I couldn't find any stuff on the victim end of it.
If anybody can provide me with a good reference, I'll be happy to add it and
give credit. http://www.sans.org/dosstep/index.htm is what I have currently
on filtering. If you have a *partial* reference (something that will work
for *many* or *most* sites, for example), I am able to phrase it as
"Evaluate the techniques listed at <URL> for appropriateness".
Anybody got input to add?
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
As far as I know, with the current level of awareness, everyone's working
hard on prevention or protection from vulnerabilities of DOS/DDOS. But when
it comes to what to do when you are in the thick of a DOS or DDOS attack,
the jury is still out on that one, I guess.
What I have learned from a white paper by Barry Greene of Cisco are the
following tibbits for "when you are in it":
After an attack is identified or classified, if
1. Spoofed RFC1918 and special use addresses - block or drop it.
2. Spoofed addresses that are not in Global route table - drop it.
3. valid address from a compromised DDOS agent - either drop it or rate
limit the port.
4. spoofed valid address from somewhere on the Internet - the hardest to
deal with, no clear course action for this.
You can get the more out of the white paper off Cisco's web site at
http://www.cisco.com/public/cons/isp/documents/
additional articles include:
http://www.networkmagazine.com/article/NMG20001130S0002
http://www.networkmagazine.com/article/NMG20000512S0041
Hope this helps,
Just my thoughts
Jake