Transcript dos_nanog
DoS/DoS Detection and Mitigation Mujahid Khan [email protected] Three Parts to Dealing With a (D)DoS Attack: • Detection • Tracking • Mitigation Detection Limited Tools available to proactively monitor and report (D)DoS attacks Proactive detection comes with a price tag attached Different approaches to detection Inline detection passive tapping detectors Flow based detection IDS integration Most attacks are detected by sudden increase in bandwidth and resource utilization Need to identify DoS/DDoS attacks and eliminate false alarms – also need to classify attacks based on protocol and source address Detection Issues with detection ??? Tracking • Methods used to track the attack depends on the available features on the deployed infrastructure • Some of the issues with tracking the attack are: – Randomness of attacks – Distributed nature of the attacks – Address spoofing • Fast and wide deployment of the tracking scheme needed to track and mitigate attacks effectively – especially needed in case of a large number of sources for the attack • Some of the methods used to trace back the attack blackhole the the targeted victim – this could be a problem • Most current approaches for traceback are manual, therefore slow Mitigation • Most actions to mitigate involve putting filters – Usually away from the source and close to the ingress points to the network • Rate-limiting the attack • Sometime the targeted IP address is blackholed • uRPF has helped – please deploy where possible