Re: DDoS Mitigation

[Pavel Odintsov <pavel.odintsov () gmail com>]

Hello, Christopher!

Could you share "there are quite a few in the US that will filter
traffic like this for you" off-list?

On Thu, Nov 5, 2015 at 3:27 AM, Christopher Morrow
<morrowc.lists () gmail com> wrote:
> a short answer for the OP is: "Find an ISP that will actually support you"
>
> there are quite a few in the US that will filter traffic like this for
> you (vzb will) on demand, provided the traffic is service impacting
> and NOT 'victoria secret runway show' traffic.
>
> alternately you could find an ISP that has a mitigation service (vzb,
> att, ntt, sprint i think still does)  and move your links there.
>
> All of those are cheaper when under attack than the off-netork
> solutions (generally).
>
> On Thu, Nov 5, 2015 at 9:12 AM, Tin, James <jtin () akamai com> wrote:
> > This is my first post to Nanog. So please don't flame me down ;)
> >
> > Hi Mario.
> >
> > Typically the cost of Ddos mitigation is charged on the amount of clean traffic inbound to your network, the number 
> > of protected /24 ranges you need protected and the number of datacentres you want to protect.
> >
> > Ideally the Ddos mitigation solution should block attacks as close as possible to the source of the attack. One good 
> > way of doing this is by leveraging anycast from multiple scrubbing centres and ensure there is enough backbone 
> > bandwidth between each scrubbing centre to deliver clean traffic.
> >
> > Blocking it at your upstream transit provider may be too late for significant attacks as any service provider 
> > between you and the source could black hole the traffic before it gets to your peers. This results in legitimate 
> > traffic not being able to reach your network.
> >
> > Paras is correct, attacks could be on any port and often multivector and change within an attack campaign if 
> > attackers see one vector is not effective. So each attack really needs to be dealt with dynamically to ensure there 
> > are no false positives (something is blocked when it shouldn't be)
> >
> > Unfortunately it is very simple to intimate a Ddos attack, but the cost of mitigation is very high. So the solution 
> > you choose really depends on the monetary cost of the outages, clients you have and whether the cost can be 
> > amortised over your client base.
> >
> > I have seen service providers offer premium hosting services which have Ddos mitigation, using separate 
> > infrastructure and links to their normal customers. This reduces the cost of mitigation while also containing the 
> > risks and the collateral damage.
> >
> > There are also different Ddos mitigation solutions depending on the service protocols your are offering. Ie web 
> > traffic could be mitigated with cdn vs all protocols and ports with BGP via a scrubbing centre.
> >
> > Sent from my iPhone
> > James Tin
> > Enterprise Security Architect APJ
> > Join the Conversation.
> > Log on to Akamai Community.     [http://www.akamai.com/images/img/community-icon-large.png] 
> > <https://community.akamai.com/>
> >
> > [http://www.akamai.com/images/img/bg/akamai-logo.png]<http://www.akamai.com/>
> >
> > Office: +<tel:+1.617.444.1234>61 9008 4906
> > Cell: +<tel:+1.617.444.1234>61 466 961 555
> >         Akamai Technologies
> > Level 7, 76 Berry St
> > North Sydney, NSW 2071
> >
> > Connect with Us:        [http://www.akamai.com/images/img/akamai-community-icon.jpg] <https://community.akamai.com/> 
> >  [http://www.akamai.com/graphics/misc/rs_icon_small.png] <http://blogs.akamai.com/>  
> > [http://www.akamai.com/graphics/misc/tw_icon_small.png] <https://twitter.com/akamai>  
> > [http://www.akamai.com/graphics/misc/fb_icon_small.png] <http://www.facebook.com/AkamaiTechnologies>  
> > [http://www.akamai.com/graphics/misc/in_icon_small.png] <http://www.linkedin.com/company/akamai-technologies>  
> > [http://www.akamai.com/graphics/misc/yt_icon_small.png] 
> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
> >
> >
> >
> >
> > On 5 Nov 2015, at 05:13, Paras <paras () protrafsolutions com<mailto:paras () protrafsolutions com>> wrote:
> >
> > Hey,
> >
> > Just blocking port 19 won't cut it, as we often see Chargen attacks that run on nonstandard ports as well
> >
> > Thanks,
> > Paras
> >
> > On 11/4/2015 12:33 PM, Mario Eirea wrote:
> > Hello everyone,
> >
> > Looking to find out how the pricing model works for DDoS mitigation and what to expect as far as ballpark pricing 
> > from my ISP. Some background, we are getting hit with a chargen attack that comes and goes and is saturating our 
> > 500mb connection. Tried hitting up the ISP for UDP block on 19 but they want us to go through our rep, in the 
> > process making this go on longer that is necessary. Any feedback would be appreciated.
> >
> > Thanks,
> >
> > -ME



-- 
Sincerely yours, Pavel Odintsov