Re: DDOS solution recommendation

[Mike Hammett <nanog () ics-il net>]

So the preferred alternative is to simply do nothing at all? That seems fair. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



----- Original Message -----

From: "Christopher Morrow" <morrowc.lists () gmail com> 
To: "Brandon Ross" <bross () pobox com> 
Cc: "Mike Hammett" <nanog () ics-il net>, "NANOG list" <nanog () nanog org> 
Sent: Monday, January 12, 2015 3:05:14 PM 
Subject: Re: DDOS solution recommendation 

On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross <bross () pobox com> wrote: 
> On Sun, 11 Jan 2015, Mike Hammett wrote: 
>
> > I know that UDP can be spoofed, but it's not likely that the SSH, mail, 
> > etc. login attempts, web page hits, etc. would be spoofed as they'd have to 
> > know the response to be of any good. 
>
>
> Okay, so I'm curious. Are you saying that you do not automatically block 
> attackers until you can confirm a 3-way TCP handshake has been completed, 
> and therefore you aren't blocking sources that were spoofed? If so, how are 
> you protecting yourself against SYN attacks? If not, then you've made it 
> quite easy for attackers to deny any source they want. 

this all seems like a fabulous conversation we're watching, but really 
.. if someone wants to block large swaths of the intertubes on their 
systems it's totally up to them, right? They can choose to not be 
functional all they want, as near as I can tell... and arguing with 
someone with this mentality isn't productive, especially after several 
(10+? folk) have tried to show and tell some experience that would 
lead to more cautious approaches. 

If mike wants less packets, that's all cool... I'm not sure it's 
actually solving anything, but sure, go right ahead, have fun. 

-chris