Arbor Networks DoS defense product

Richard A Steenbergen ras at e-gerbil.net
Wed May 15 13:10:51 UTC 2002


On Wed, May 15, 2002 at 12:14:35AM -0600, Pete Kruckenberg wrote:
> 
> These might apply to noticeable DoS attacks that occur as specific
> events. But how much (D)DoS traffic goes unnoticed by the average
> customer because it's too tough to detect or defend against? The 10%
> I've measured on my network is primarily reflected DDoS (reflected off
> my customers, to off-net targets), which is not trivial to detect or
> defend against.

It all depends on the networks involved. I'd venture to say that most
people not associated with university networks see significantly less DoS,
more like 1% of overall traffic for service providers and probably closer
to 0% for end users who aren't IRCing.

At any rate, you are also in the very special case of being the one used 
to do the attacks rather than the one being attacked. Again, you really 
have to have university networks involved to see those numbers.

In non DDoS cases, particularly your classic bandwidth floods, the source
feels the attack as badly as the victim. That is less the case today, with
targetted attacks (your network MAY fall over routing 100kpps, but it is
far more likely to fall over if those 100kpps are directed at your
routers) and DDoS reducing the amount of power that any given source must
use. Remember that the original point of DDoS was to prevent the sources
from noticing (and thus shutting down the compromised machines) by using
10 networks at 10% instead of 1 at 100%.

Today, you often see targetted high pps low bandwidth attacks which
actually bring down traffic (these *are* supposed to be denial of service
attacks after all :P) instead of raising it.

But as for your case... Attacks directed at you and attacks directed from
you are sometimes the same thing and sometimes different, and I think most
people see money to be made in the former. Personally I would rather have
to deal with the latter, because there is something I can easily do about
it. For the sake of the rest of us, PLEASE go fix your network so that we
don't have to deal with your attacks. I'm still recommending rate limiting
your outbound RSTs either on the webservers themselves (which a good OS
should do), or on the routers. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)



More information about the NANOG mailing list