RE: DDOS solution recommendation

[David Hofstee <david () mailplus nl>]

Hi Mike, 

About trying to hit the mail ports... It is very easy for a domain to set its MX to a random host name. So before you 
block you might want to check the To-domain in the header of the mail. Otherwise it is too easy to DoS yourself (by 
planting email addresses in systems, such as mine, and then changing the MX of that domain to your hosts).



David Hofstee

Deliverability Management
MailPlus B.V. Netherlands (ESP)


-----Oorspronkelijk bericht-----
Van: NANOG [mailto:nanog-bounces () nanog org] Namens Mike Hammett
Verzonden: Sunday, January 11, 2015 2:46 PM
Aan: Roland Dobbins
CC: nanog () nanog org
Onderwerp: Re: DDOS solution recommendation

Well there's going to be two sources of the attack... infested clients or machines setup for this purpose (usually in a 
datacenter somewhere). Enough people blackhole the attacking IPs, those IPs are eventually going to have a very limited 
view of the Internet. They may not care of it's a server in a datacenter being used to attack, but an infested home PC 
would care once they can't get to Google, FaceBook, Instagram, whatever. 

If the attacker's abuse contact doesn't care, then just brute force of more and more of the Internet being offline to 
them, they'll figure it out. 

You hit my honeypot IPs, blackholed for 30 days. You do a DNS request to my non-DNS servers, blackholed for 30 days. 
Same goes for NTP, mail, web, etc. You have more than say 5 bad login attempts to my mail server in 5 minutes, 
blackholed for 30 days. You're trying to access various web pages known for home router or Wordpress exploitation, 
blackholed for 30 days. 

No point in letting troublemakers (manual or scripted) spend more time on the network than necessary. The more people 
(as a collective or not) that do this, the better. 




-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com 



----- Original Message -----

From: "Roland Dobbins" <rdobbins () arbor net>
To: nanog () nanog org
Sent: Sunday, January 11, 2015 7:24:55 AM
Subject: Re: DDOS solution recommendation 


On 11 Jan 2015, at 20:07, Mike Hammett wrote: 

> but I'd think that if their network's abuse department was notified, 
> either they'd contact the customer about it issue or at least have on 
> file that they were notified.

Just because we think something, that doesn't make it true. 

;> 

> The way to stop this stuff is for those millions of end users to clean 
> up their infected PCs.

You may want to do some reading on this topic in order to gain a better understanding of the issues involved: 

<https://app.box.com/s/4h2l6f4m8is6jnwk28cg> 

Some of us have been dealing with DDoS attacks for a couple of decades, now. If it were a simple problem, we would've 
solved it long ago. 

Here's a hint: scale alone makes any problem literally orders of magnitude more difficult than any given instance 
thereof. 

-----------------------------------
Roland Dobbins <rdobbins () arbor net>