Re: DDOS, IDS, RTBH, and Rate limiting

[Trent Farrell <tfarrell () riotgames com>]

I wouldn't have suggested it if I hadn't successfully made these requests
myself. Most attacks don't last long enough to put a dent on billing so
it's in everyone best interest to cull it quickly.

Providing the upstream network is big enough and your attacks aren't huge
pipefills, they will usually place the acl on your customer port first,
which in those cases should be enough.

For smaller attacks you can try to drop at your router/absorb
it/ scrub it inside your border if you have the kit - but anything
significant like the NTP reflection attacks earlier in the year, you come
up against the "bandwidth arms race" problem.

There are services out there like Prolexic/Black Lotus offer where they can
scrub traffic for you, but I've never used one first hand so can't comment.

On Saturday, November 8, 2014, Jon Lewis <jlewis () lewis org> wrote:

> How many holes are you going to stick fingers in to stop the flows?  Good
> luck getting your provider to put in such a filter and make it anything
> more than temporary...and then there's still DNS, NTP, SNMP, and other
> protocols an attacker can easily utilize when they find that chargen isn't
> getting the job done.
>
> On Sat, 8 Nov 2014, Trent Farrell wrote:
>
>  A quick and dirty win is to get your upstream(s) to kill anything UDP 19
> > to
> > your prefixes at their ingress points if it becomes a common thing. You
> > lose visibility as to when you're getting targeted by that type of attack
> > again though, which could matter depending on your network.
> >
> >
> > On Saturday, November 8, 2014, Jon Lewis <jlewis () lewis org> wrote:
> >
> >  On Sat, 8 Nov 2014, Miles Fidelman wrote:
> > >  Does anyone have any suggestions for mitigating these type of attacks?
> > >
> > > > >
> > > > The phrase automated offensive cyber counter-attack has been coming to
> > > > mind rather frequently, of late.  I wonder if DARPA might fund some
> > > > work in
> > > > this area. :-)
> > > When you're being hit with one of the UDP reflection DDoS's, attacking
> > > the
> > > world in response isn't likely to work too well.
> > >
> > > In theory, you could write something that takes flow data from your
> > > transit routers, and in either near or real time, looks at that data and
> > > triggers an RTBH route for any IP that is responsible for more than a
> > > certain defined threshold of inbound traffic.  In practice, it gets a
> > > little more complicated than that, as you'll likely want to whitelist
> > > some
> > > IPs and/or maybe be able to set different thresholds for different IPs.
> > > But
> > > it's not that complicated a problem to solve.  Have a default threshold,
> > > and a table of networks and thresholds.  Once a minute, look at the top X
> > > local destinations over the past minute.  For each one, check to see if
> > > it
> > > has a custom threshold.  If it doesn't, it gets the default. Then see if
> > > it's over its threshold.  If it is, generate an RTBH route and email your
> > > NOC.
> > >
> > > The tricky part is when to remove the route...since you can't tell if the
> > > attack has ended while the target is black holed by your upstreams.
> > >
> > > ----------------------------------------------------------------------
> > >  Jon Lewis, MCP :)           |  I route
> > >                              |  therefore you are
> > > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> >
> > --
> >
> > *Trent Farrell*
> >
> > *Riot Games*
> >
> > *IP Network Engineer*
> >
> > E: tfarrell () riotgames com | IE:  +353 83 446 6809 | US: +1 424 285 9825
> >
> > Summoner name: Foro
> ----------------------------------------------------------------------
>  Jon Lewis, MCP :)           |  I route
>                              |  therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


-- 

*Trent Farrell*

*Riot Games*

*IP Network Engineer*

E: tfarrell () riotgames com | IE:  +353 83 446 6809 | US: +1 424 285 9825

Summoner name: Foro