[c-nsp] DDoS Attack detection and elimination suggestions

[Lee Starnes]

Thanks Mikael. Sorry about the direct reply. Should have done a cc.

-Lee

On Thu, Mar 31, 2011 at 10:55 PM, Mikael Abrahamsson <swmike at swm.pp.se>wrote:

> On Thu, 31 Mar 2011, Lee Starnes wrote:
>
> You should send this to the list... but here goes part of the answer. I am
> not very interested in continuting this offlist, as nobody else will learn
> anything.
>
> But what you want to configure in your routers is this:
>
> http://www.linux.it/~md/text/blackholing.html
>
> That will drop all traffic to the blackholed IP.
>
> How you trigger this blackhole is another matter.
>
>
>  Thanks Mikael. I'm not really concerned about keeping the attacked
>> machine(s) up during an attack. I guess what I am more interested in, is
>> keeping all the rest of the network from being impacted. Better to have
>> one
>> customer down than 1 thousand customers. Since DoS attacks are going to
>> happen from time to time and they are usually not going to be the same, I
>> don't see how it can be prevented. Just want to be able to identify and
>> end
>> it or at least minimize the impact as quickly as possible.
>>
>> -Lee
>>
>>
>>
>> On Thu, Mar 31, 2011 at 10:30 PM, Mikael Abrahamsson <swmike at swm.pp.se
>> >wrote:
>>
>>  On Thu, 31 Mar 2011, Lee Starnes wrote:
>>>
>>>  I'm looking for pointers on how to best detect DDoS attacks and best
>>>
>>>> practices for stopping one once identified.
>>>>
>>>>
>>> If you define what is being attacked and how, and what you would like to
>>> happen for it to be "stopped", you can probably get a better answer.
>>>
>>> Stopping a DDOS against infrastructure (often a packets/second problem)
>>> is
>>> one thing, trying to mitigate a DDOS SYN-flood against a web-server you
>>> want
>>> to continue working is another thing.
>>>
>>> --
>>> Mikael Abrahamsson    email: swmike at swm.pp.se
>>>
>>>
>>
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se
>