How to protect against DDoS flooding our uplink?

nowisph · #1 05-19-2004, 10:13 PM

Is there anything we can do except waiting for upstream to cut our connections and block the aggressing IPs?

Hardware firewall doesn't work when the attack is targetted to saturate our uplink, please advice.

ThomasC · #2 05-19-2004, 10:26 PM

Increase your upstream

Regards,
Thomas Currie

nowisph · #3 05-19-2004, 10:28 PM

the problem is even if we buy 100Mbps of bandwidth, DC will still cut our connection when there is a DDoS.

IRCCo Jeff · #4 05-19-2004, 10:29 PM

Pretty much - You're going to want to find a provider with sufficient throughput to handle the attacks.

nowisph · #5 05-19-2004, 10:32 PM

Change DC is not a good choice, it'll bring a huge downtime to us and our clients.

codywatkins · #6 05-19-2004, 10:43 PM

Quote:

Originally posted by nowisph
Change DC is not a good choice, it'll bring a huge downtime to us and our clients.

What you will want to do is stick an edge router (owned by you) on their end to prevent the DDOS from being able to saturate the line.

Example: If you have a router in their carrier building, you could in theory have it on a GIGE line to their core router, and then from your router it would go out over your pipe to your data center.

IRCCo Jeff · #7 05-20-2004, 01:57 AM

Quote:

Originally posted by codywatkins
What you will want to do is stick an edge router (owned by you) on their end to prevent the DDOS from being able to saturate the line.

Example: If you have a router in their carrier building, you could in theory have it on a GIGE line to their core router, and then from your router it would go out over your pipe to your data center.

This will still saturate the line of the capacity is not present, not to mention that adding another device to the puzzle creates an additional potential point of failure and, more likely than not, performance issues (assuming that the device on the edge cannot perform at the same Mpps level).

Lets face it, most providers are not equipped to handle DDoS concerns, and trying to beat around the issue is a losing battle.

jsw6 · #8 05-20-2004, 02:52 AM

If you can live without specific IP addresses being globally reachable during attacks, I strongly recommend you work with your provider(s) on setting up a BGP black-hole mechanism. It is quite easy for your provider to do.

In addition, consider having your provider configure fixed filters to discard traffic that is typically associated with a DDoS event. For example, rate-limit non-tcp-established traffic to several mbits/sec. There are even more elegant solutions available to folks running Juniper routers.

Contact me if you have further questions.

IRCCo Jeff · #9 05-20-2004, 03:49 AM

jsw6:

My understanding has always been that non-established limiting was a terrible waste of resources.

Nonetheless, it definately seems as if you have some insight in these matters that I would be interested in speaking with you about. If you're up for a short discussion, please PM me your IM contact(s).

Thanks.

Mfjp · #10 05-20-2004, 05:00 AM

Juniper + Multi Gig uplinks!!

IRCCo Jeff · #11 05-20-2004, 05:23 AM

His provider will not tolerate DDoS and he does not want to move -- so there's really not much we can do for him.

nowisph · #12 05-20-2004, 06:11 AM

Quote:

Originally posted by jsw6
If you can live without specific IP addresses being globally reachable during attacks, I strongly recommend you work with your provider(s) on setting up a BGP black-hole mechanism. It is quite easy for your provider to do.

Excuse me but what is the advantages of BGP black-hole? Is it a null-routing?

I afraid it will still cause us downtime? so how can we survive?

jsw6 · #13 05-20-2004, 09:39 AM

Quote:

Originally posted by nowisph
Excuse me but what is the advantages of BGP black-hole? Is it a null-routing?
I afraid it will still cause us downtime? so how can we survive?

It is null-routing. It will cause downtime for the IP addresses that you black-hole, but the attack will be filtered upstream and the rest of your services will operate normally.

Quote:

Originally posted by DeathNova
My understanding has always been that non-established limiting was a terrible waste of resources.
Nonetheless, it definately seems as if you have some insight in these matters that I would be interested in speaking with you about. If you're up for a short discussion, please PM me your IM contact(s).

If you've got the hardware resources for non-established rate-limiting, it is a big benefit to customers who are the target of DoS.
My AIM screen name is on my WHT profile.

nowisph · #14 05-20-2004, 09:41 AM

Quote:

Originally posted by jsw6
In addition, consider having your provider configure fixed filters to discard traffic that is typically associated with a DDoS event. For example, rate-limit non-tcp-established traffic to several mbits/sec.

I think it shouldn't work, DDoS now use real IPs instead of spoofed IPs and each one don't use more than 20 times in 3 mins. Every connection is established, it's even very hard to block at our hardware firewall.

jsw6 · #15 05-20-2004, 09:48 AM

Quote:

Originally posted by nowisph
I think it shouldn't work, DDoS now don't use spoofed IPs, but real IPs and each one don't use more than 20 times in 3 mins.

The source address is not a factor. You or your provider will simply discard all traffic destined for one or more IP addresses which are under attack.

How to protect against DDoS flooding our uplink?

Sponsored Links

Advertise Here

Internet Services

Web Development

Digital Marketing

Consumer Tech