DOS attack tracing

• Previous message (by thread): DOS attack tracing
• Next message (by thread): DOS attack tracing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hannigan, Martin wrote:
 >

Well, this is no longer about tracing DDoS I suppose..

> Good advice when DDOS' are constant. If this was a first and possibly
> last for awhile, it may make sense to rely on the software tools
> and a good 'SOP' with the provider instead. It really depends on
> the scope of the problem in particular.
> 
> DDOS' is rather infrequent to zero for most enterprises. That DDOS
> golden banana is rather yummy with sprinkles on top. Don't get me wrong,
> the DDOS problem is real, but not for everyone, and not as frequently as
> it's being hyped up to be. A managed service is a better way
> to go if they're worried, IMO.

Two things, planning for disaster and mitigation on-going DDoS attacks.

Planning...
Sound advice, but I'd phrase it a little differently.

All depending on how big they are, how much they have to invest, how 
worried they are and how much they stand to lose by such an attack, 
short or prolonged (which after their last experience they should be 
able to answer), they are more than capable to decide how much they want 
to invest.

If they are generally concerned but not truly able to pay so much for 
an.. infrequent serious risk, they can indeed get better (more 
organized) relations with their uplink, as well as perhaps check if 
their uplink can use their own.. say Cisco Guard for them or whatever 
other mitigation service they can offer. That or get a better uplink.

They could combine tactics, such as for example get the Guard but direct 
it using netflow data rather than the Detector.

It all depends on how much they are willing to invest - but knowing what 
they need is entirely up to them and after such an attack I bet they 
have a fairly good idea.

Mitigating...
As to the infrequency of the attacks, it really depends on who you ask. 
We (at Tehila) get attacked quite often, and we see others get attacked 
quite often. Others yet, get attacked on such a scale once a year or so. 
How much do you stand to lose from just ONE devastating attack?

Underplaying DDoS though is something I do not agree with you on, 
though. The scale of the problem is much bigger than most believe.

Unrelated to my own experience and that of my employer, at the drone 
armies research and mitigation mailing list we have been able to 
actively mitigate DDoS attacks in real time, what we need is a log of 
the attacking IP's with timestamps and we do our best to help.

In our last success we mitigated a 400 mega packets attack into just 
about 20, crippling the ability of the attacker to strike for a few 
weeks. After his second attempt he never went back to that target again 
(so far, anyway).

	Gadi.

• Previous message (by thread): DOS attack tracing
• Next message (by thread): DOS attack tracing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]