North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Proactive steps to prevent DDOS?
On Fri, Jan 26, 2001 at 03:35:50PM -0800, Sean Donelan wrote: > Is there some magic command I can put into my router to help protect > my network from a DDOS [...] Closest command I've found is "no ip routing" in IOS, or "delete family inet [...]" in JunOS. That aside, there's something very basic that few people seem to realize -- if you have no route to a destination, you can't initiate a DDoS attack against it. What's to prevent high-visibility shell/IRC/web/etc servers (read: DDoS targets) from announcing their netblocks to their upstreams, and then withdrawing these announcements -- either manually, or automagically, using scripts monitoring rate limiting and pkt/sec thresholds, amongst other things -- when under attack. Sure, that would result in temporary loss of connectivity to said host, but sometimes, that's the quickest way to stop a large attack. This doesn't need to be a costly endeavor. Zebra is perfectly stable when receiving no routes, and announcing a couple of networks at the most. You'll find that lots of folks who have legacy class C (or B even!) and AS number assignments they're not currently using, dating back to before the ARIN charged for such things, are more than willing to transfer/lend them to you when you ask politely. Don't believe me? Try it sometime. -adam