nanog mailing list archives

Re: ddos attacks

From: Eugeniu Patrascu <eugen () imacandi net>
Date: Thu, 19 Dec 2013 22:51:19 +0200

On Thu, Dec 19, 2013 at 10:30 PM, dennis () justipit com
<dennis () justipit com>wrote:

Just about every security, network and ADC vendor out there is claiming
anti-dos capabilities.  Be careful when going that route and do your own
validation.  I suggest looking at Radware and Arbor (both leaders in the
market). To successfully mitigate an attack the ideal solutions will weed
out the attack and allow legitimate traffic to continue.  Many of the
solutions in the commercial market are not much more than rate limiters and
are not very forgiving.  Just as important realize while spoofed udp floods
are popular they are oftened only the first vector, if successfully
mitigated attackers quickly adjust and follow with more complex vectors
such as application attacks toward http, ssl, dns query floods, etc..
Remember their goal is to bring you down, , divert your attention while
they steal your data or perhaps transfer funds.  They will go to far
lengths to achieve their end result.  As you can imagine it's much harder
to identify the attack characteristics or for that matter the attacker in
these more complex cases.  In summary, I'm a firm believer in a hybrid
approach with combination of infrastructure acls, rtbh, qos, URPF, tcp
stack hardening, local anti-ddos appliances for application attacks and
network floods under link capacity to allow you to stay up while deciding
to shift routes into cloud band ability to swing up stream to cloud
scrubbing center (in house or third party).


I know a bit about Radware, and what they do is to learn a traffic pattern
from where traffic usually comes and when in case of exceeding a certain
threshold, they start dropping traffic from new sources never seen before
and then drop some seen before traffic. This works if you are a company
with a very localized visitor base (like banking site for certain national
or local bank, e-shop and so on) but it kind of doesn't scale that much
when it comes to we have people all over the place and we get DDoS-ed with
legitimate requests that only consume server resources.


What providers do in some regions is to blackhole your subnet if you reach
a certain number of packets per second. It sucks, but hey, they also have
infrastructure to protect.

Eugeniu

Current thread:

Re: ddos attacks, (continued)
- - - Re: ddos attacks Jon Lewis (Dec 19)
  - Re: ddos attacks John Kristoff (Dec 19)
  - Re: ddos attacks Edward Lewis (Dec 19)
    - Re: ddos attacks cb.list6 (Dec 19)
  - Re: ddos attacks Dobbins, Roland (Dec 19)
    - Re: ddos attacks cb.list6 (Dec 19)
    - Re: ddos attacks Dobbins, Roland (Dec 19)
    - Re: ddos attacks Saku Ytti (Dec 20)
    - Re: ddos attacks Dobbins, Roland (Dec 20)
- Re: ddos attacks dennis () justipit com (Dec 19)
- Re: ddos attacks Eugeniu Patrascu (Dec 19)
- Re: ddos attacks dennis () justipit com (Dec 19)
- Re: ddos attacks Scott Weeks (Dec 19)