nanog mailing list archives

Re: DDOS, IDS, RTBH, and Rate limiting

From: Trent Farrell <tfarrell () riotgames com>
Date: Sat, 8 Nov 2014 19:32:32 -0800

A quick and dirty win is to get your upstream(s) to kill anything UDP 19 to
your prefixes at their ingress points if it becomes a common thing. You
lose visibility as to when you're getting targeted by that type of attack
again though, which could matter depending on your network.


On Saturday, November 8, 2014, Jon Lewis <jlewis () lewis org> wrote:

On Sat, 8 Nov 2014, Miles Fidelman wrote:

 Does anyone have any suggestions for mitigating these type of attacks?


The phrase automated offensive cyber counter-attack has been coming to
mind rather frequently, of late.  I wonder if DARPA might fund some work in
this area. :-)


When you're being hit with one of the UDP reflection DDoS's, attacking the
world in response isn't likely to work too well.

In theory, you could write something that takes flow data from your
transit routers, and in either near or real time, looks at that data and
triggers an RTBH route for any IP that is responsible for more than a
certain defined threshold of inbound traffic.  In practice, it gets a
little more complicated than that, as you'll likely want to whitelist some
IPs and/or maybe be able to set different thresholds for different IPs. But
it's not that complicated a problem to solve.  Have a default threshold,
and a table of networks and thresholds.  Once a minute, look at the top X
local destinations over the past minute.  For each one, check to see if it
has a custom threshold.  If it doesn't, it gets the default. Then see if
it's over its threshold.  If it is, generate an RTBH route and email your
NOC.

The tricky part is when to remove the route...since you can't tell if the
attack has ended while the target is black holed by your upstreams.

----------------------------------------------------------------------
 Jon Lewis, MCP :)           |  I route
                             |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________



-- 

*Trent Farrell*

*Riot Games*

*IP Network Engineer*

E: tfarrell () riotgames com | IE:  +353 83 446 6809 | US: +1 424 285 9825

Summoner name: Foro

Current thread:

DDOS, IDS, RTBH, and Rate limiting Eric C. Miller (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Miles Fidelman (Nov 08)
  - Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
    - Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)
    - Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
    - Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)
    - Re: DDOS, IDS, RTBH, and Rate limiting Miles Fidelman (Nov 09)
    - Re: DDOS, IDS, RTBH, and Rate limiting Matt Palmer (Nov 08)
    - Re: DDOS, IDS, RTBH, and Rate limiting Trent Farrell (Nov 08)
    - Re: DDOS, IDS, RTBH, and Rate limiting Jon Lewis (Nov 08)
    - Re: DDOS, IDS, RTBH, and Rate limiting Trent Farrell (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Tim Raphael (Nov 08)
- RE: DDOS, IDS, RTBH, and Rate limiting Frank Bulk (Nov 08)
  - Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)
    - RE: DDOS, IDS, RTBH, and Rate limiting Frank Bulk (Nov 08)
    - Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)
    - Re: DDOS, IDS, RTBH, and Rate limiting joel jaeggli (Nov 08)
    - RE: DDOS, IDS, RTBH, and Rate limiting Frank Bulk (Nov 08)
- Re: DDOS, IDS, RTBH, and Rate limiting Roland Dobbins (Nov 08)

(Thread continues...)