nanog mailing list archives
Re: UDP port 80 DDoS attack
From: "dennis" <dennis () justipit com>
Date: Mon, 6 Feb 2012 07:22:38 -0500
The point is well taken that cloud scrubbing can be an essential component of mitigating a volumetric flood. However, it is important to note that DDOS attacks do not only consist of volumetric floods. Current attacks often incorporate a multi-vectored attack campaign including a combination of low and slow and application layer attacks on upper layer protocols, ie. DNS & HTTP(s). These campaigns are designed to fly under the triggers of other flow based analysis (cloud scrubbing) protections in place today. As with any security protection a layered approach is required in order to protect the perimeter from DDOS. In addition to the previous recommendations of ACL, uRPF, RTBH, CoPP, inspection of the full stack is required. The best protection today includes a detector capable of inspecting the full stack and signaling back to the cloud scrubbing station to swing the route if the attack becomes volumetric. The premise device should have technique in order to challenge the source and counter the attack with intelligence. I'm aware of two vendors offering some of these capabilities today, Radware and Arbor.
-------------------------------------------------- From: "Keegan Holley" <keegan.holley () sungard com> Sent: Sunday, February 05, 2012 8:37 PM To: "Dobbins, Roland" <rdobbins () arbor net> Cc: "NANOG Group" <nanog () nanog org> Subject: Re: UDP port 80 DDoS attack
2012/2/5 Dobbins, Roland <rdobbins () arbor net>On Feb 6, 2012, at 8:10 AM, Keegan Holley wrote:> An entire power point just to recommend ACL's, uRPF, CPP, DHCP > snooping,and RTBH? Actually, no, that isn't the focus of the preso. > The first four will not work against a DDOS attack This is incorrect - suggest you read the preso.The ACL's are configured on the routers belonging to the victim AS which will not save their access pipe if it's overrun unless I'm missing something. uRPF may help with spoofed traffic, but sometimes causesproblems with multi-homing and is often more harmful than helpful dependingon the network design.> and the last one just kills the patient so he does not infect other patients. S/RTBH - as opposed to D/RTBH - doesn't kill the patient. Again, suggest you read the preso.Source RTBH often falls victim to rapidly changing or spoofed source IP"s. It also isn't as widely supported as it should be. I never said DDOS was hopeless, there just aren't a wealth of defenses against it.
Current thread:
- Re: UDP port 80 DDoS attack, (continued)
- Re: UDP port 80 DDoS attack Mark Andrews (Feb 08)
- Re: UDP port 80 DDoS attack Keegan Holley (Feb 08)
- Re: UDP port 80 DDoS attack Dobbins, Roland (Feb 08)
- Re: UDP port 80 DDoS attack bas (Feb 08)
- Re: UDP port 80 DDoS attack Dobbins, Roland (Feb 08)
- Re: UDP port 80 DDoS attack Keegan Holley (Feb 08)
- Re: UDP port 80 DDoS attack Steve Bertrand (Feb 05)
- Re: UDP port 80 DDoS attack Keegan Holley (Feb 05)
- Re: UDP port 80 DDoS attack Steve Bertrand (Feb 05)
- Re: UDP port 80 DDoS attack Jeff Wheeler (Feb 05)
- Re: UDP port 80 DDoS attack dennis (Feb 06)
- Re: UDP port 80 DDoS attack Sven Olaf Kamphuis (Feb 06)
- Re: UDP port 80 DDoS attack Jeff Wheeler (Feb 06)
- Re: UDP port 80 DDoS attack Keegan Holley (Feb 06)
- Re: UDP port 80 DDoS attack Joe Greco (Feb 07)
- RE: UDP port 80 DDoS attack George Bonser (Feb 07)