Print

Print


Last night, we got hit by a ~3 Gbps DDoS attack. It's been a while since
this has happened to us, so I'd like to make sure I'm still up on the
state of the art.

Is there anything more to be done than the following?
     1. Identify the victim.
     2. Null route the victim.
     3. Propagate the null route to your upstreams (via BGP, if
        supported, otherwise a phone call to their NOC).
     4. Move the victim to a new IP.


To avoid participating in at least some classes of DDoS attacks, we:
      * long ago implemented uRPF (and/or similar ACLs) to block spoofed
        outbound packets, as recommended by BCP 38 (RFC 2827).
      * ensured our NTP servers (and any NTP servers of our customers)
        are not responding to monlist queries. The openntpproject.org
        website is useful here. They list vulnerable NTP servers by IP
        range, or you can get all NTP servers by AS (replace YOUR_AS
        with your AS, and optionally, add &csv=1) and then query with
        ntpdc -n -c monlist IP:
        http://openntpproject.org/searchby-asn.cgi?search_asn=YOUR_AS
      * just this week started addressing customers with open DNS
        resolvers, which can also be used in amplification attacks:
        http://openresolverproject.org/searchby-asn.cgi?search_asn=YOUR_AS

Is there anything else we should be doing?

-- 
Richard

########################################################################

To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1