Monday, February 9, 2004

Avoiding DDoS Attacks

ComputerWorld (AU) has an article which talks about the options for avoiding known attacks, with commentary about the approaches used by Microsoft and SCO in the current MyDoom attack.

One thing the article does not talk about is the measures that the "sending" service providers can take. These are varied and numerous. Most involve knowing what your (as a service provider) normal traffic looks like and what isn't normal traffic (i.e., network "flow" metrics). Some involve the use of sniffers (a temporary Snort box works wonders for specific attacks such as MyDoom). Still others involve log file review (a web-based DDoS showing up in proxy logs? Naw!). A lot of it depends on the configuration of your network.

In any case, while the victim's business model may demand that "something be done" to provide continuity, it's also your responsibility (as a service provider) to monitor your network and take corrective (or preventive) measures to mitigate the attacks.

Then again, it may be in the best interest of your current business model to appear the victim and periodically fall off the net (*cough* Santa *cough* Claus *cough* Online *cough*).