Re: DDOS solution recommendation

[Owen DeLong <owen () delong com>]

> On Jan 11, 2015, at 12:28 , Colin Johnston <colinj () gt86car org uk> wrote:
>
> unfortunately chinanet antispam/abuse email box is always full, after a while people block .
> always check arin/ripe for known good provider blocks and actively exclude from rules

ARIN and RIPE do not provide address reputation information, so I’m not sure what you mean by known good blocks.

Anything you can get from ARIN or RIPE, you would also want to check against LACNIC, AfriNIC, and APNIC as each of the 
5 RIRs has their own region for which they are responsible. If you merely check ARIN and RIPE, you will permit only 
North America (exclusive of Mexico), some Caribbean Islands, Antarctica, and Europe. If it is not your intent to 
completely ignore Asia, Africa, Latin America, and about half of the Caribbean, then your above statement needs 
adjustment.

> ddos protection via careful overview ips rules and active web source ip monitoring works well, the hard part is daily 
> rule updates and blocks until you know most traffic is genuine.

This helps with PPS attacks against web servers and certain web exploits. It does not help with volumetric attacks. The 
simple fact is that the only way to deal with volumetric attacks is to have them blocked or filtered upstream unless 
you have sufficient ingress capacity to sink the attack traffic volume.

Owen

> colin
>
> Sent from my iPhone
>
> > On 11 Jan 2015, at 19:42, "Patrick W. Gilmore" <patrick () ianai net> wrote:
> >
> > I do love solutions which open larger attack surfaces than they are supposed to close. In the US, we call that "a 
> > cure worse than the disease".
> >
> > Send packet from random bot with source of Google, Comcast, Akamai, etc. to Mr. Hammett's not-DNS / honeypot / 
> > whatever, and watch him close himself off from the world.
> >
> > Voilà! Denial of service accomplished without all the hassle of sending 100s of Gbps of traffic.
> >
> > Best part is he was willing to explain this to 10,000+ of his not-so-closest friends, in a search-engine-indexed 
> > manner.
> >
> > -- 
> > TTFN,
> > patrick
> >
> > > On Jan 11, 2015, at 14:34 , Phil Bedard <bedard.phil () gmail com> wrote:
> > >
> > > Many attacks can use spoofed source IPs, so who are you really blocking?  
> > >
> > > That's why BCP38 as mentioned many times already is a necessary tool in 
> > > fighting the attacks overall.  
> > >
> > > Phil 
> > >
> > >
> > >
> > >
> > > > On 1/11/15, 4:33 PM, "Mike Hammett" <nanog () ics-il net> wrote:
> > > >
> > > > I didn't necessarily think I was shattering minds with my ideas. 
> > > >
> > > > I don't have the time to read a dozen presentations. 
> > > >
> > > > Blackhole them and move on. I don't care whose feelings I hurt. This 
> > > > isn't kindergarten. Maybe "you" should have tried a little harder to not 
> > > > get a virus in the first place. Quit clicking on male enhancement ads or 
> > > > update your OS occasionally. I'm not going to spend a bunch of time and 
> > > > money to make sure someone's bubble of bliss doesn't get popped. Swift, 
> > > > effective, cheap. Besides, you're only cut off for 30 days. If in 30 days 
> > > > you can prove yourself to be responsible, we can try this again. Well, 
> > > > that or a sufficient support request. 
> > > >
> > > > Besides, if enough people did hat, the list of blackholes wouldn't be 
> > > > huge as someone upstream already blocked them. 
> > > >
> > > >
> > > >
> > > >
> > > > ----- 
> > > > Mike Hammett 
> > > > Intelligent Computing Solutions 
> > > > http://www.ics-il.com 
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > >
> > > > From: "Roland Dobbins" <rdobbins () arbor net> 
> > > > To: nanog () nanog org 
> > > > Sent: Sunday, January 11, 2015 9:29:33 AM 
> > > > Subject: Re: DDOS solution recommendation 
> > > >
> > > >
> > > > > On 11 Jan 2015, at 22:21, Mike Hammett wrote: 
> > > > >
> > > > > I'm not saying what you're doing is wrong, I'm saying whatever the 
> > > > > industry as a whole is doing obviously isn't working and perhaps a 
> > > > > different approach is required.
> > > >
> > > > You haven't recommended anything new, and you really need to do some 
> > > > reading in order to understand why it isn't as simple as you seem to 
> > > > think it is. 
> > > >
> > > > > Security teams? My network has me, myself and I.
> > > >
> > > > And a relatively small network, too. 
> > > >
> > > > > If for example ChinaNet's abuse department isn't doing anything about 
> > > > > complains, eventually their whole network gets blocked a /32 at a 
> > > > > time. *shrugs* Their loss.
> > > >
> > > > Again, it isn't that simple. 
> > > >
> > > > ----------------------------------- 
> > > > Roland Dobbins <rdobbins () arbor net>