DDoS Mitigation Techniques

[phishphreek]

I read a pretty nice article this morning on Security Focus's site dealing with the mitigation of DDoS.

It proved to be very informative and I learned a lot.

Maybe some of you can also use it.

Read it HERE.

[phaza7]

8-] that was some great reading!

Would love if U found other informative posts to let AO members know
thanz again, phishphreek

[Networker]

Thanks to enlite that article,

but I'll be a little more pessimistic than the author!
In my sense a company has no way to portect against DDOS attacks (DrDOS attacks are even worth)!!!

The only utopic way to eradicate DDOS attacks is relying on the 2 followings internet involvment:
1- All dummies with permanent ADSL connexion protect their computer agianst zombies (firewall + anti virii),
2- all ISP in the world invest on firewall and probes for each PE routeurs, in order to prevent IP spoofing from their customer computer and have a real time attack tracking system.

I do not fully agrre with the author on the folowing points:
1- Identifying DDOS attack
sniffing your internet connection will give some type of frame used for the attack, but once you did convince the ISP (& it is hard to achieve even more during the WE) to filter that type of frame, you'll discover that the attack continue with an other type of frame.
indeed, the attack could rely on many floods but only 1 or 2 may be enough to saturate the link the others dropped by the ISP egress interface.
Therefore it is not that easy!

2-Tracking the attacker
DDOS attack: Then this one is using Zombies unless if you manage to compromise a Zombie you won't have any chance to get the attacker

DrDOS attack (syn attacks by reflection, syn packets with victim source adress are directed to a server on the net this one will acknowledge the connection to the victim - that ask nothing in reality): ISP tracking will help to find a Zombie that's all, provided a real time collaboration between all ISPs.
A clever an very malicious attacker will own a several hundred (thousand) zombies. he/she will use pools of zombie in a cyclic way e.g. Let's say the attacker own 1000 zombies during 10 minutes he/she will generate syn flood traffic from 300 zombies to the victim (via the reflector) the next 10 minutes from 200 others zombies .... And the cyclic could be worth by changing the type of SYN flood attack each time.
Therefore it is very difficult to identify & filter the attacker traffic.

3- Black Hole filtering
This technique is based on routing, ISP decide with the victim to redirect (thanks to a static route with the lower metric 1) to a router were the malicious traffic is harmless. But no more traffic (legal or not) is routed to the victim. The victim is kicked out from the internet. It was already kicked off anyway.
In my opinion this technique is usefull to help ISP to know from which gateways/PE traffic is coming (costumer & other ISP) and then drop on those PE the traffic at victim destination. Therefore legal traffic coming from a border router not polluted with malicious traffic will reach the victim and services could be garanted during the attack.

These crashing attacks could be the death of the internet as we know it. (People like john Crowcroft are working on TCP enhancement to add authentication connection and traffic predictibility, I heard that CISCO is investing as well on such subject)