Krebs on Security booted off Akamai network after DDoS attack proves pricey

Jon Lewis jlewis at lewis.org
Sat Sep 24 02:13:45 UTC 2016


On Fri, 23 Sep 2016, Christopher Morrow wrote:

> On Fri, Sep 23, 2016 at 9:24 PM, Jon Lewis <jlewis at lewis.org> wrote:
>
>> On Fri, 23 Sep 2016, Patrick W. Gilmore wrote:
>>
>> Is CloudFlare able to filter Layer 7 these days? I was under the
>>> impression CloudFlare was not able to do that.
>>>
>>> There have been a lot of rumors about this attack. Some say reflection,
>>> others say Layer 7, others say .. other stuff. If it is Layer 7, how are
>>> you going to ÿÿstep in front of the cannonÿÿ? Would you just pass through
>>> all the traffic?
>>>
>>
>> Anycast + load balancers + high powered varnish?
>>
>>
> notionally (because I have been paying zero attention to this) jon's
> suggesting:
>  1) setup a crapload of nginx/squid/etc configured tightly for things to
> be accessed behind them
>  2) ecmp to them across several layers (assume 32 ecmp at each layer, call
> it 4 layers get craploads of machines running)
>  3) change over the dns
>  4) profit--
>
> eh? If you can eat the PPS, you can spray across enough tcp listeners, you
> can weed out the chaff and start filtering in the 'application'... perhaps
> also run a 'low bandwidth' version of the target site...
>
> hey look, we invented prolexic.

Well...by anycast, I meant BGP anycast, spreading the "target" 
geographically to a dozen or more well connected/peered origins.  At that 
point, your ~600G DDoS might only be around 50G per site, and at that 
level, filtering the obvious crap gets much more reasonable.  Then, doing 
the layer 7 scrubbing of the less obvious crap is more easily dealt with 
than a single site receiving 600G of attack traffic.

I haven't actually done this (specifically for DDoS mitigation)...just 
speculating as to how it might easily be done given sufficient resources. 
The trouble is, the attackers have virtually unlimited bandwidth, and 
aren't constrained by having to pay for the bandwidth.

----------------------------------------------------------------------
  Jon Lewis, MCP :)           |  I route
                              |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


More information about the NANOG mailing list