Re: Over a decade of DDOS--any progress yet?

[Jack Bates <jbates () brightok net>]

On 12/8/2010 9:52 AM, Dobbins, Roland wrote:
> On Dec 8, 2010, at 10:47 PM, Arturo Servin wrote:
>
> >         But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those 
> > that exists require a complex coordination with upstreams.
>
>
> This is demonstrably incorrect.
+1

For IPs that don't matter, automated /32 blackholes are usually 
supported by most providers. For critical infrastructure, I've not had a 
problem with the security/abuse/noc departments working with me to 
resolve the issue.

The first step to DOS mitigation is being able to shut down the attack 
vector. If they hit an IP, shut it down, let the 50 other distributed 
systems take care of it.

It's all a matter of perspective, and it has to be handled on a case by 
case basis. I had a dialup modem bank IP get DOS's due to a customer off 
it. Well, the modem bank itself doesn't need to talk to the outside 
world (outside of traceroutes), so a quick blackhole of it stopped the 
DDOS (which was a small 300mb/s).

I've talked with several providers who will gladly redirect a subset of 
IP's through their high end filters, so in event of DOS, I can drop that 
/24 down to 1 transit peer, have them redirect it through their filter 
servers, and get clean traffic back to my network.


Jack