uRPF and Radware DoShield, one DoShield per link btw edge router and core
router. Use IDS (yes there is a way to capture all your traffic and
anaylyze it, regardless of bandwidth, no it isn't one box) to identify a
signature, build a filter, config filter on DoShield, up to ~200Mb/s per
DoShield of filtering with zero impact to legit traffic. Scale horizontally
(add more links each with a DoShield on it) based on your ingress traffic.
I've seen many suggestions on this list, this is the only thing that works
for huge (100Mb/s+) attacks. eBay is likely the biggest target on the net,
this works for us 90% of the time. Is the HW expensive? Yes. (~$35k per
DoShield I think) It works, it scales.
There is no way a Cisco router can handle filtering attacks past a certain
point, nor is it capable of even filtering on some patterns in attack
packets. Juniper is better, but still lacks some filtering capabilities.
Your router is a router, not a packet filter, give up trying to make it do
this until someone builds this into an ASIC on the router.
Email me off list for more info.
uRPF and Radware DoShield, one DoShield per link btw edge router and core
router. Use IDS (yes there is a way to capture all your traffic and
anaylyze it, regardless of bandwidth, no it isn't one box) to identify a
signature, build a filter, config filter on DoShield, up to ~200Mb/s per
DoShield of filtering with zero impact to legit traffic. Scale horizontally
(add more links each with a DoShield on it) based on your ingress traffic.
I've seen many suggestions on this list, this is the only thing that works
for huge (100Mb/s+) attacks. eBay is likely the biggest target on the net,
this works for us 90% of the time. Is the HW expensive? Yes. (~$35k per
DoShield I think) It works, it scales.
You might want to take a look at CloudShield (www.cloudshield.com), they
have what can only be described as a pretty impressive looking box for
this kind of stuff.
There is no way a Cisco router can handle filtering attacks past a
certain point, nor is it capable of even filtering on some patterns in
attack packets. Juniper is better, but still lacks some filtering
capabilities. Your router is a router, not a packet filter, give up
trying to make it do this until someone builds this into an ASIC on the
router.
Thats what the IP2 does, match bytes in the headers and come back with a
thumbs down or a thumbs up and a destination interface. It's really not
that much harder to match the bytes for a dest port against a compiled
ruleset and decide yes or no then it is to match the dest address against
a forwarding table and decide which nexthop.
They CAN filter on anything in the headers, it's just a matter of
convincing them that the specific filter you want is something they should
add to their software language and microcode. I'm sure as a core router
vendor they must hear every feature request imaginable and not know which
ones to follow up on. If anyone from Juniper is listening, I can tell you
4 things to add which will stop all existing packet kiddie tools in their
tracks. But then again, I'd rather just have a language for bitmatching at
any offset. 
Thats what the IP2 does, match bytes in the headers and come back with a
thumbs down or a thumbs up and a destination interface. It's really not
that much harder to match the bytes for a dest port against a compiled
ruleset and decide yes or no then it is to match the dest address against
a forwarding table and decide which nexthop.
Looking into the IP header is not enough. In order to filter DDOS packets one has to look into the payload as well. I don't think routers are suitable for that level of filtering (think advanced NBAR).
Hank
Consultant
Riverhead Networks (formerly Wanwall Networks)
www.riverhead.com
I disagree. There are a world of things you can do when you look at the
entire payload, from IDS to playing Big Brother. But stopping DDoS does
not require it, in almost every case layer 3+4 headers is sufficient.
Date: Thu, 2 May 2002 12:23:01 -0400
From: Richard A Steenbergen
They CAN filter on anything in the headers, it's just a matter of
convincing them that the specific filter you want is something they should
add to their software language and microcode. I'm sure as a core router
vendor they must hear every feature request imaginable and not know which
ones to follow up on. If anyone from Juniper is listening, I can tell you
4 things to add which will stop all existing packet kiddie tools in their
tracks. But then again, I'd rather just have a language for bitmatching at
any offset.
And it wouldn't be that hard to have something to compile
rulesets into simply assembly, either:
movb 0x12(1,%ecx),%al
andb $0x34,%al
xorb $0x14,%al
jz some_destination
Oversimplified, yes. But mask-then-test is one of the simpler
apps to write. s/x86/chipofchoice/ and have fun.
Juniper being based on FreeBSD/x86, perhaps some kernel hooks
might be in order for those who wish to write their own code.
Date: Fri, 3 May 2002 02:35:53 +0000 (GMT)
From: E.B. Dreger
Juniper being based on FreeBSD/x86, perhaps some kernel hooks
might be in order for those who wish to write their own code.
And, were my head on straight, I'd have been thinking about the
ASIC in the line card, _not_ the central CPU...
/me needs sleep.
Do you mind sharing with us the 4 things that exists only in DoS packets ?
Rubens Kuhl Jr.