RE: DDoS auto-mitigation best practices (for eyeball networks)

[<frnkblk () iname com>]

99% of the attacks we see are gaming related -- somehow the other players
know the IP and then attack our customer for an advantage in the game, or
retribution.

Most DHCP servers (correctly) give the same IP address if the CPE is
rebooted.  Ours are one of those. =)

Frank

-----Original Message-----
From: Mehmet Akcin [mailto:mehmet () akcin net] 
Sent: Saturday, September 19, 2015 3:10 PM
To: Frank Bulk <frnkblk () iname com>
Cc: nanog () nanog org
Subject: Re: DDoS auto-mitigation best practices (for eyeball networks)

How does he/she become target? How does IP address gets exposed?

I guess simplest way is to reboot modem and hope to get new ip (or call n
request)

Mehmet 

> On Sep 19, 2015, at 12:54, Frank Bulk <frnkblk () iname com> wrote:
>
> Could the community share some DDoS auto-mitigation best practices for
> eyeball networks, where the target is a residential broadband subscriber?
> I'm not asking so much about the customer communication as much as
> configuration of any thresholds or settings, such as:
> - minimum traffic volume before responding (for volumetric attacks)
> - minimum time to wait before responding
> - filter percentage: 100% of the traffic toward target (or if volumetric,
> just a certain percentage)?
> - time before mitigation is automatically removed
> - and if the attack should recur shortly thereafter, time to respond and
> remove again
> - use of an upstream provider(s) mitigation services versus one's own
> mitigation tools
> - network placement of mitigation (presumably upstream as possible)
> - and anything else
>
> I ask about best practice for broadband subscribers on eyeball networks
> because it's different environment than data center and hosting
environments
> or when one's network is being used to DDoS a target.
>
> Regards,
>
> Frank