nanog mailing list archives

Re: ddos attacks

From: Peter Phaal <peter.phaal () gmail com>
Date: Wed, 18 Dec 2013 14:31:26 -0800

Dan,

If you are using sFlow for your measurements, then you might want to take a
look sFlow-RT for DDoS mitigation. The following case study describes how
sFlow and null routing are being used to mitigate flood attacks:

http://blog.sflow.com/2013/03/ddos.html

The analytics engine will detect flood attacks in less than a second and
you can use the embedded scripting API to initiate automated responses. The
following articles contain basic DDoS mitigation scripts - you just need to
replace the block() and allow() functions with calls to expect scripts,
OpenFlow rules, or REST API calls - whatever makes sense in your
environment.

http://blog.sflow.com/search/label/DoS

This is a commercial product, but it's free to try out (no registration
required):

http://inmon.com/products/sFlow-RT.php

Cheers,
Peter


On Wed, Dec 18, 2013 at 8:36 AM, Dan White <dwhite () olp net> wrote:

Can anyone recommend a vendor solution for DDOS mitigation? We are looking
for a solution that detects DDOS attacks from sflow information and
automatically announces BGP /32 blackhole routes to our upstream providers,
or a similar solution.

Thank You.


On 08/05/13 21:09 +1000, Ahad Aboss wrote:

Scott,

Use a DDOS detection and mitigation system with DPI capabilities to deal
with traditional DDOS attack and anomalous behaviour such as worm
propagation, botnet attacks and malicious subscriber activity such as
flooding and probing. There are only a few vendors who successfully play
in
this space who provide a self healing/self defending system.

Cheers
Ahad
-----Original Message-----
From: sgraun () airstreamcomm net [mailto:sgraun () airstreamcomm net]
Sent: Friday, 2 August 2013 11:37 PM
To: nanog () nanog org
Subject: ddos attacks

I’m curious to know what other service providers are doing to
alleviate/prevent ddos attacks from happening in your network.  Are you
completely reactive and block as many addresses as possible or null0
traffic
to the effected host until it stops or do you block certain ports to
prevent
them.  What’s the best way people are dealing with them?

Scott


--
Dan White

Current thread:

Re: ddos attacks Dan White (Dec 18)
- Re: ddos attacks Paul Stewart (Dec 18)
- Re: ddos attacks Peter Phaal (Dec 18)
- <Possible follow-ups>
- Re: ddos attacks cb.list6 (Dec 18)
  - Re: ddos attacks Valdis . Kletnieks (Dec 18)
    - Re: ddos attacks Jon Lewis (Dec 18)
    - RE: ddos attacks James Braunegg (Dec 18)
    - Re: ddos attacks Tore Anderson (Dec 19)
    - Re: ddos attacks Eugeniu Patrascu (Dec 19)
    - Re: ddos attacks Adrian M (Dec 19)
    - Re: ddos attacks Paul Ferguson (Dec 19)
    - Re: ddos attacks Dobbins, Roland (Dec 19)
    - Re: ddos attacks Nick Hilliard (Dec 19)

(Thread continues...)