On Thu, May 20, 2004 at 11:52:01AM -0700, Mark Kent wrote: > > I've been trying to find out what the current BCP is for handling ddos > attacks. Mostly what I find is material about how to be a good > net.citizen (we already are), how to tune a kernel to better withstand > a syn flood, router stuff you can do to protect hosts behind it, how > to track the attack back to the source, how to determine the nature of > the traffic, etc. > > But I don't care about most of that. I care that a gazillion > pps are crushing our border routers (7206/npe-g1). > > Other than getting bigger routers, is it still the case that the best > we can do is identify the target IP (with netflow, for example) and > have upstreams blackhole it?
or acl it. some providers offer blackhole services where you can inject a route to them via bgp over the same session (with communities) or over a different session that just takes blackhole routes.. that can be used by you to cause them to null0/discard the traffic within their network automatically.. with junipers being used commonly these days, and their ability to write long, complex firewall filters, I think you're seeing more people do fancier things.. I've placed filters for at least one customer (for the duration of a DoS) that match on specific packet sizes or packet ranges of a specific type. The more you know about the profile of the attack you have going on, the better others can help you mitigate it.. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.