Krebs on Security booted off Akamai network after DDoS attack proves pricey

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Sep 23, 2016 at 10:13 PM, Jon Lewis <jlewis at lewis.org> wrote:

> On Fri, 23 Sep 2016, Christopher Morrow wrote:
>
> On Fri, Sep 23, 2016 at 9:24 PM, Jon Lewis <jlewis at lewis.org> wrote:
>>
>> On Fri, 23 Sep 2016, Patrick W. Gilmore wrote:
>>>
>>> Is CloudFlare able to filter Layer 7 these days? I was under the
>>>
>>>> impression CloudFlare was not able to do that.
>>>>
>>>> There have been a lot of rumors about this attack. Some say reflection,
>>>> others say Layer 7, others say .. other stuff. If it is Layer 7, how are
>>>> you going to ÿÿstep in front of the cannonÿÿ? Would you just pass
>>>> through
>>>> all the traffic?
>>>>
>>>>
>>> Anycast + load balancers + high powered varnish?
>>>
>>>
>>> notionally (because I have been paying zero attention to this) jon's
>> suggesting:
>>  1) setup a crapload of nginx/squid/etc configured tightly for things to
>> be accessed behind them
>>  2) ecmp to them across several layers (assume 32 ecmp at each layer, call
>> it 4 layers get craploads of machines running)
>>  3) change over the dns
>>  4) profit--
>>
>> eh? If you can eat the PPS, you can spray across enough tcp listeners, you
>> can weed out the chaff and start filtering in the 'application'... perhaps
>> also run a 'low bandwidth' version of the target site...
>>
>> hey look, we invented prolexic.
>>
>
> Well...by anycast, I meant BGP anycast, spreading the "target"
> geographically to a dozen or more well connected/peered origins.  At that
> point, your ~600G DDoS might only be around


anycast and tcp? the heck you say! :)


> 50G per site, and at that level, filtering the obvious crap gets much more
> reasonable.  Then, doing the layer 7 scrubbing of the less obvious crap is
> more easily dealt with than a single site receiving 600G of attack traffic.
>
>
sure, yes.


> I haven't actually done this (specifically for DDoS mitigation)...just
> speculating as to how it might easily be done given sufficient resources.
> The trouble is, the attackers have virtually unlimited bandwidth, and
> aren't constrained by having to pay for the bandwidth.
>
>
sounds like you got it all sorted out...


>
> ----------------------------------------------------------------------
>  Jon Lewis, MCP :)           |  I route
>                              |  therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]