nanog mailing list archives
Re: DDoS auto-mitigation best practices (for eyeball networks)
From: Chase Christian <madsushi () gmail com>
Date: Mon, 21 Sep 2015 10:59:06 -0700
Most video games utilize peer-to-peer traffic (which is why many require port forwarding/UPnP), so the attacker has the IP addresses of all of their peers in their firewall logs. There are even 'gaming routers' that specialize in gaming this peer-to-peer system for competitive advantages, such as specifically blocking the IPs of players you don't want to play against: https://netduma.com/why/for-gamers/ Once an attacker has identified his target, getting the IP is as simple as joining/being in an online game with that player. On Mon, Sep 21, 2015 at 5:00 AM, <frnkblk () iname com> wrote:
99% of the attacks we see are gaming related -- somehow the other players know the IP and then attack our customer for an advantage in the game, or retribution. Most DHCP servers (correctly) give the same IP address if the CPE is rebooted. Ours are one of those. =) Frank -----Original Message----- From: Mehmet Akcin [mailto:mehmet () akcin net] Sent: Saturday, September 19, 2015 3:10 PM To: Frank Bulk <frnkblk () iname com> Cc: nanog () nanog org Subject: Re: DDoS auto-mitigation best practices (for eyeball networks) How does he/she become target? How does IP address gets exposed? I guess simplest way is to reboot modem and hope to get new ip (or call n request) MehmetOn Sep 19, 2015, at 12:54, Frank Bulk <frnkblk () iname com> wrote: Could the community share some DDoS auto-mitigation best practices for eyeball networks, where the target is a residential broadband subscriber? I'm not asking so much about the customer communication as much as configuration of any thresholds or settings, such as: - minimum traffic volume before responding (for volumetric attacks) - minimum time to wait before responding - filter percentage: 100% of the traffic toward target (or if volumetric, just a certain percentage)? - time before mitigation is automatically removed - and if the attack should recur shortly thereafter, time to respond and remove again - use of an upstream provider(s) mitigation services versus one's own mitigation tools - network placement of mitigation (presumably upstream as possible) - and anything else I ask about best practice for broadband subscribers on eyeball networks because it's different environment than data center and hostingenvironmentsor when one's network is being used to DDoS a target. Regards, Frank
Current thread:
- DDoS auto-mitigation best practices (for eyeball networks) Frank Bulk (Sep 19)
- Re: DDoS auto-mitigation best practices (for eyeball networks) Mehmet Akcin (Sep 19)
- Re: DDoS auto-mitigation best practices (for eyeball networks) Mike Hammett (Sep 19)
- Re: DDoS auto-mitigation best practices (for eyeball networks) Patrick Muldoon via NANOG (Sep 19)
- RE: DDoS auto-mitigation best practices (for eyeball networks) frnkblk (Sep 21)
- Re: DDoS auto-mitigation best practices (for eyeball networks) Chase Christian (Sep 22)
- Re: DDoS auto-mitigation best practices (for eyeball networks) Randy via NANOG (Sep 19)
- Re: DDoS auto-mitigation best practices (for eyeball networks) Roland Dobbins (Sep 19)
- Re: DDoS auto-mitigation best practices (for eyeball networks) alvin nanog (Sep 20)
- Re: DDoS auto-mitigation best practices (for eyeball networks) Mehmet Akcin (Sep 19)