DDOS solution recommendation

• Previous message (by thread): DDOS solution recommendation
• Next message (by thread): DDOS solution recommendation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In looking at this thread, it's apparent that some are trying to
over-simplify a not-so-simple problem. As someone brought out earlier,
there is no silver bullet to fix for several reasons. Some reasons
that I can come up with at the top of my head are:

1) DDOS types vary.
2) Not every network is the same (shocker I know)
3) Time/Money - not every company has the same budget (again, shocker)
4) Staff/Resources - Not every company have admin/engineers at
different technical levels. So someone may decide on blocking an
attack at different levels because "that's what they know." EG:
wordpress guy blocks attacks at the webserver level, an admin blocks
it at the system, network admin at the edge.


The questions should be much more narrow. "How should I mitigate an
NTP reflection" or "what are common mistakes people make when
mitigating attacks" are questions that more specific that all can
glean from.

Thanks,
Scott

On Mon, Jan 12, 2015 at 4:35 PM, Mike Hammett <nanog at ics-il.net> wrote:
> So the preferred alternative is to simply do nothing at all? That seems fair.
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> ----- Original Message -----
>
> From: "Christopher Morrow" <morrowc.lists at gmail.com>
> To: "Brandon Ross" <bross at pobox.com>
> Cc: "Mike Hammett" <nanog at ics-il.net>, "NANOG list" <nanog at nanog.org>
> Sent: Monday, January 12, 2015 3:05:14 PM
> Subject: Re: DDOS solution recommendation
>
> On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross <bross at pobox.com> wrote:
>> On Sun, 11 Jan 2015, Mike Hammett wrote:
>>
>>> I know that UDP can be spoofed, but it's not likely that the SSH, mail,
>>> etc. login attempts, web page hits, etc. would be spoofed as they'd have to
>>> know the response to be of any good.
>>
>>
>> Okay, so I'm curious. Are you saying that you do not automatically block
>> attackers until you can confirm a 3-way TCP handshake has been completed,
>> and therefore you aren't blocking sources that were spoofed? If so, how are
>> you protecting yourself against SYN attacks? If not, then you've made it
>> quite easy for attackers to deny any source they want.
>
> this all seems like a fabulous conversation we're watching, but really
> .. if someone wants to block large swaths of the intertubes on their
> systems it's totally up to them, right? They can choose to not be
> functional all they want, as near as I can tell... and arguing with
> someone with this mentality isn't productive, especially after several
> (10+? folk) have tried to show and tell some experience that would
> lead to more cautious approaches.
>
> If mike wants less packets, that's all cool... I'm not sure it's
> actually solving anything, but sure, go right ahead, have fun.
>
> -chris
>



-- 
Scott

• Previous message (by thread): DDOS solution recommendation
• Next message (by thread): DDOS solution recommendation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]