DDOS solution recommendation

• Previous message (by thread): DDOS solution recommendation
• Next message (by thread): DDOS solution recommendation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jan 11, 2015 at 6:46 AM, Mike Hammett <nanog at ics-il.net> wrote:


> You hit my honeypot IPs, blackholed for 30 days. You do a DNS request to
> my non-DNS servers, blackholed for 30 days. Same goes for NTP, mail, web,
> etc. You have more than say 5 bad login attempts to my mail server in 5
> minutes, blackholed for 30 days. You're trying to access various web pages
> known for home router or Wordpress exploitation, blackholed for 30 days.
>

I urge caution in building automatic systems to respond to network abuse,
lest you have unanticipated consequences.

How are you tracing the source for DNS UDP, NTP UDP, etc, requests?  Or TCP
SYNs?  If you say source address in the packet, you might not be doing what
you think you're doing.  Or for that matter HTTP accesses.  Without giving
too much discussion, let me point out:

1) You can forge a victim's IP and send packets to a honeypot (or indeed
the entire IPv4 internet if you want). You may not want to assume "I see a
packet with this claimed source being sent to X, so it must be a bad guy
and I should block it."

2) Web crawlers will follow links from Bad Guy's Site to your website, even
if these links might match an IDS signature on your end.  You may not want
to block some search engine crawlers.

3) Legitimate recursive DNS servers can be made to connect to any IP
address a bad guy wants them to connect to. You may not want to block some
ISP's recursive DNS servers.

There are good things to do automatically, but make sure you think them
through.

I used to do click fraud detection 15 years ago - when that was still a new
field and we all were inventing our own ways of doing it.  I was amazed at
the number of ways a bad guy could do an HTTP request from millions of
source IPs (hint: they weren't spoofed).  I suspect it hasn't gotten better.

The internet isn't able to be broken because the people building and
running it are idiots.  It's able to be broken because breaking things has
always been far easier than building them.  It takes much more
intelligence, skill, and expertise to build a glass window than to throw a
brick through one.

• Previous message (by thread): DDOS solution recommendation
• Next message (by thread): DDOS solution recommendation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]