Re: DDOS, IDS, RTBH, and Rate limiting

[Jon Lewis <jlewis () lewis org>]

On Sat, 8 Nov 2014, Miles Fidelman wrote:

> > Does anyone have any suggestions for mitigating these type of attacks?
>
> The phrase automated offensive cyber counter-attack has been coming to mind 
> rather frequently, of late.  I wonder if DARPA might fund some work in this 
> area. :-)

When you're being hit with one of the UDP reflection DDoS's, attacking the 
world in response isn't likely to work too well.

In theory, you could write something that takes flow data from your 
transit routers, and in either near or real time, looks at that data and 
triggers an RTBH route for any IP that is responsible for more than a 
certain defined threshold of inbound traffic.  In practice, it gets a 
little more complicated than that, as you'll likely want to whitelist some 
IPs and/or maybe be able to set different thresholds for different IPs. 
But it's not that complicated a problem to solve.  Have a default 
threshold, and a table of networks and thresholds.  Once a minute, look at 
the top X local destinations over the past minute.  For each one, check to 
see if it has a custom threshold.  If it doesn't, it gets the default. 
Then see if it's over its threshold.  If it is, generate an RTBH route and 
email your NOC.

The tricky part is when to remove the route...since you can't tell if the 
attack has ended while the target is black holed by your upstreams.

----------------------------------------------------------------------
 Jon Lewis, MCP :)           |  I route
                             |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________