Hello,
No but i was thinking that you do the ACL by yourself instead of doing it automaticly .. Since it can append at any times it's nice to wake up at 3.00 am because of kiddies. And yes Arbor is a detection tool which is applying ACL's or other rules to the attacked node ... Btw with any tools you still get the DDoS BW on your edge ... And last point is with such tools "You should be safe on your internal network" since it's supposed to detect the attack really faster than you can ;) It's just a question of Down time on your backbone. You can also use the CAR solution by Rate limiting ICMP SYN or whatever. It wont stop the DDOS but at least other customers are able to "use" internet.
Cu,
Nico
Arnold, Nico,
Let suppose to have Arbor or any other "profesional anti-DDos tool" and that the tool tell me: you have an attack of (almost) 1Gbps towards IP address x.y.z.w. What do you do now? You still have hundreds of Mbps coming from many ingress points, all this flows aggregate then towards the x.y.z.w and fill your links, the attacked customer is completely down, other customers are impacted as well. The only way I see to solve this is to blackhole that traffic at the ingress points, this has the following consequences:
- all other customers can work again
- the attacked customer can (at least) work with all other IP addresses
- as it is a DDos, the ingress links are not filled up, no issue here
Nico, by the way, maybe I'm wrong but Arbor is a detection system that detects DDos and propose you access-lists to configure on the border.....so in fact they are doing the same as blackholing. Do you have maybe different info?
Trying to stop the DDos traffic at the source is almost impossible, you have to contact many different networks and ask them to trace back to the source. I did it friday night (I sent also e-mails on specialised security mailing lists) and I received just two answers and not from the biggest sources.
From my point of view, Arbor tools are very usefull in the detection, you can save a lot of time and react faster, but the only solution I see afterwards is to blackhole the traffic.
Regards Mic
>Since the traffic come thru your edge anyway whats the point of blackholing ? Did you ever heard >Arbor Networks.
>
>Cu,
>
>
>Nico
>
>
>>>On 02.08.2004 09:08 Michele Marazza wrote:
>>>
>>>
>>>
>>>
>>> Of course, (if someone lived such DDOSs can probably confirm) it tooked me some time before >>>I could find THE /32 that was attacked and blackhole it at our borders.
>>>
>>>
>>
>>
>>aren't you deploying professionell Anti-DDoS solutions? Blackholing
>>traffic has the same effect than attacking (at least for the victim).
>>
>>
>>
>>
>>>Arnold
_______________________________________________ swinog mailing list [EMAIL PROTECTED] http://lists.init7.net/cgi-bin/mailman/listinfo/swinog
