Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[Christopher Morrow <morrowc.lists () gmail com>]

On Fri, Sep 23, 2016 at 10:13 PM, Jon Lewis <jlewis () lewis org> wrote:

> On Fri, 23 Sep 2016, Christopher Morrow wrote:
>
> On Fri, Sep 23, 2016 at 9:24 PM, Jon Lewis <jlewis () lewis org> wrote:
> > On Fri, 23 Sep 2016, Patrick W. Gilmore wrote:
> > > Is CloudFlare able to filter Layer 7 these days? I was under the
> > >
> > > > impression CloudFlare was not able to do that.
> > > >
> > > > There have been a lot of rumors about this attack. Some say reflection,
> > > > others say Layer 7, others say .. other stuff. If it is Layer 7, how are
> > > > you going to ÿÿstep in front of the cannonÿÿ? Would you just pass
> > > > through
> > > > all the traffic?
> > > Anycast + load balancers + high powered varnish?
> > >
> > >
> > > notionally (because I have been paying zero attention to this) jon's
> > suggesting:
> >  1) setup a crapload of nginx/squid/etc configured tightly for things to
> > be accessed behind them
> >  2) ecmp to them across several layers (assume 32 ecmp at each layer, call
> > it 4 layers get craploads of machines running)
> >  3) change over the dns
> >  4) profit--
> >
> > eh? If you can eat the PPS, you can spray across enough tcp listeners, you
> > can weed out the chaff and start filtering in the 'application'... perhaps
> > also run a 'low bandwidth' version of the target site...
> >
> > hey look, we invented prolexic.
>
> Well...by anycast, I meant BGP anycast, spreading the "target"
> geographically to a dozen or more well connected/peered origins.  At that
> point, your ~600G DDoS might only be around


anycast and tcp? the heck you say! :)


> 50G per site, and at that level, filtering the obvious crap gets much more
> reasonable.  Then, doing the layer 7 scrubbing of the less obvious crap is
> more easily dealt with than a single site receiving 600G of attack traffic.
sure, yes.


> I haven't actually done this (specifically for DDoS mitigation)...just
> speculating as to how it might easily be done given sufficient resources.
> The trouble is, the attackers have virtually unlimited bandwidth, and
> aren't constrained by having to pay for the bandwidth.
sounds like you got it all sorted out...


> ----------------------------------------------------------------------
>  Jon Lewis, MCP :)           |  I route
>                              |  therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________