Forum OpenACS Q&A: DDoS attacks

Collapse
15: DDoS attacks (response to 1)
Posted by Petru Paler on 11/28/01 11:30 AM

Regarding the DDoS problem -- as the other folks pointed out, it's very hard (if not impossible) to fix completely.

I didn't look at the Arbornet stuff (ironically enough, their site is down), but here are a couple things learned from experience (I live in Romania (which is in the top as the country originating most DDoS attacks, and being targeted by most DDoS attacks) and I'm doing consulting for a local ISP).

First, there is a very easy and straightforward solution for stopping a DDoS attack. Unfortunately, it also isolates the target from the Internet. It's very simple and can be done either manually or automated: whenever an DDoS attack is detected (usually by noticing that the amount of inbound traffic is much higher than usual, and that the source IPs look random), observe the attacked IP and insert a null route for it (with a /32 BGP prefix) in your local routing table (this assumes you have your own AS, or that you have a cooperant ISP/colo provider). This will propagate very quickly (BGP is a fairly low-bandwidth protocol) and, in a matter of minutes, no one on the net will be able to reach the attacked IP -- all packets will be dropped by the first router with the full BGP routing table that they reach. This happens because routers always pick the most specific prefix, and your IP/32 is as specific as it gets. So, the attacker's flood drones will go on, but the packets will be dropped by their local ISP and no one else is affected. Except for your site of course, which stays down until you remove the null route.

To actually keep the site up, you need to have a couple different locations (don't forget about distributed name servers!). How many? It depends on how badly people will want to take your site down. Most script kiddies can get enough flood drones to take down a 10MBps site. Not that many can take down a 100MBps site. Only a well determined group can take and keep down 4 or 5 100MBps sites. Of course, this implies *totally* independent sites. For example Exodus in CA and Exodus in NY doesn't count as two different sites because they are both in Exodus' routing AS so if someone attacks their routing infrastructure (or, more likey, they screw up something), both servers will go down at the same time.

Depending on how much money you have, you might consider having servers in California, NYC or DC, London or Amsterdam, Hong Kong, Tokyo and Melbourne or Sydney. That would be 6, and it would be quite a challenge to DDoS all of them at the same time.