Re: handling ddos attacks

From: P.Schroebel (no email)
Date: Thu May 20 2004 - 22:04:58 EDT

• Next message: Robert E. Seastrom: "Re: ntp config tech note"
• Previous message: Steven M. Bellovin: "Re: ntpd config tech note redux"
• In reply to: Paul Vixie: "Re: handling ddos attacks"
• Next in thread: Tim Wilde: "Re: handling ddos attacks"
• Reply: Tim Wilde: "Re: handling ddos attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

----- Original Message -----
From: "Paul Vixie" <>
To: <>
Sent: Thursday, May 20, 2004 9:48 PM
Subject: Re: handling ddos attacks

>
> (Mark Kent) writes:
>
> > I've been trying to find out what the current BCP is for handling ddos
> > attacks. Mostly what I find is material about ... But I don't care
> > about most of that. I care that a gazillion pps are crushing our border
> > routers (7206/npe-g1).
> >
> > Other than getting bigger routers, is it still the case that the best
> > we can do is identify the target IP (with netflow, for example) and
> > have upstreams blackhole it?
>
> that seems hardly worthwhile. ddos is astonishingly easier to launch than
> to defend against. if you stop a flow the attacker *might* get bored and
> decide to do something else, but they could also decide to attack you from
> a different direction, or wait two days and do it all over again, and
every
> time they attack and you defend it's 10 minutes of their time and 10 hours
> of yours.
>
> far better to involve law enforcement and get some bad guys arrested, if
> you possibly can. this changes your costs from 10 hours to 15 hours but
it
> actually puts some chips on the table and makes the game worthwhile.
> --
> Paul Vixie

Hey Paul !

Ok, I 'll buy that right now; we have a DDoS Attack on our core nameservers
from 66.165.10.24. Where do we start, do I call the police in Bellingham or
Washington State Police. We have blocked their ips but, we know they will
come in another way.

Peter

OrgName: Western Washington University
OrgID: WWU
Address: Computer Center
Address: 516 High Street
City: Bellingham
StateProv: WA
PostalCode: 98225
Country: US

NetRange: 66.165.0.0 - 66.165.31.255
CIDR: 66.165.0.0/19
NetName: WWU-RESIDENT-1
NetHandle: NET-66-165-0-0-2
Parent: NET-66-165-0-0-1
NetType: Reassigned
NameServer: VIKING.WWU.EDU
NameServer: HENSON.CC.WWU.EDU
Comment:
RegDate: 2002-08-15
Updated: 2002-08-15

TechHandle: JSW12-ARIN
TechName: Williams, J. Scott
TechPhone: +1-360-650-2868
TechEmail:

• Next message: Robert E. Seastrom: "Re: ntp config tech note"
• Previous message: Steven M. Bellovin: "Re: ntpd config tech note redux"
• In reply to: Paul Vixie: "Re: handling ddos attacks"
• Next in thread: Tim Wilde: "Re: handling ddos attacks"
• Reply: Tim Wilde: "Re: handling ddos attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]