[Dshield] How do you prepare for or fight against a DDOS?

Johannes B. Ullrich jullrich at sans.org
Mon Feb 16 22:12:56 GMT 2004

> First how does one prepare for and/or fight a DDOS? Since this seems to be
> the evil of choice lately I was wondering what others (those more
> experienced than I) would do.

Couple ways to do it:

(1) look at your network infrastructure. Make sure "DDoS magnets"
and critical elements are seperate. For example, if you maintain
a public website, colocate it at some off-site facility. So if it
gets DDoS'ed, your corporate network is still up (this may not be
an option for everybody).

(2) get redundant connectivity, and if possible the ability to provision
more bandwidth on short notice (this can get expensive).

(3) know who to call. Defending against a DDoS requires close
cooperation with your upstream provider. Know ahead of time who your
point of contact is and how to report the DDoS.

(4) watch your network. The most important thing about a DDoS is to
identify the traffic. You can't do this if the first time you turn
on tcpdump is after the DDoS started. You have to know what kind of
traffic you have on your network during "peace time" to quickly identify
malicious traffic.

In the end, it will come down to "outbuying" the attacker. You will have
to decide how much it is worth to keep the side up vs. just rolling
over and shutting down for a day. Make this decision ahead of time, so
you don't have to make it under fire.

For a web site, colocating it in a well connected data center will beat
any DDoS mitigation you may be able to do "at home" on a couple of T1
circuits. Just make sure that the staff at the colocation site is
clueful. Many of the better ISPs will offer special anti-DDoS mitigation
plans. They may be a good option for you but read the SLA careful.


CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040216/2a9f6642/attachment.bin

More information about the list mailing list