real-time DDoS help?

Michael Loftis mloftis at wgops.com
Sun Jun 20 02:53:17 UTC 2004




--On Saturday, June 19, 2004 22:04 -0400 Charles Sprickman <spork at inch.com> 
wrote:

>
> Howdy,
>
> Is there any place where people with experience dealing with DDoS attacks
> hang out?  I'm getting very little assistance from my upstream beyond
> "call whomever is in charge of each IP attacking and make them stop", and
> "even though we null route the destination IP being attacked, this traffic
> will be billed".

That's outrageous but not unheard of....if it never makes it to you then 
you shouldn't be billed for it.

> I've got a nice snippet of flows, so I can mostly see where everything is
> coming from, and it's obvious what the target is, but my
> flow-stat/flow-report skills are pretty weak.
>
> Oddly, in eight years of working for smallish ISPs I've never been hit
> very hard, believe it or not.  Is the response from my upstream typical?
> I was expecting a bit more cooperation rather than them seeing as this as
> an opportunity to bill me for lots of traffic.

The normal flow unless you're a big guy yourself is to talk to your 
upstreams who contact theirs and put null routes in place at both steps. 
Depending on the size of the DDoS.  My current place of employment we got 
nailed down with 100mbit+ SYN attack here recently (I had an eng from one 
of the major upstreams, can't rememebr which, quote it at north of 200mbit, 
but by the time it made it to me we were only attempting to sink about 
90-120mbit, but we couldn't hardly keep up with that).

Most places will not charge for that.  And I think it's absurd that anyone 
does, and that you should probably take your business elsewhere if your 
upstream is engaged in this sort of gouging.



More information about the NANOG mailing list