DDOS, IDS, RTBH, and Rate limiting
Roland Dobbins
rdobbins at arbor.net
Sun Nov 9 03:50:42 UTC 2014
On 9 Nov 2014, at 10:37, Jon Lewis wrote:
> I'm sure it's not always the case, but in my experience as a SP, the
> victim virtually always did something to instigate the attack, and is
> usually someone you don't want as a customer.
This may be a reflection of your experience and customer base, but it
isn't a valid generalization. Legitimate customers are attacked all the
time, for various reasons - including unknowingly having their servers
compromised and used as C&Cs by miscreants, who're then attacked by
other miscreants.
But to say that attacks are 'virtually always' provoked by customers
themselves simply isn't true. DDoS extortion, ideologically-motivated
DDoS attacks, maskirovkas intended as a distraction away from other
activities, simple nihilism, et. al. are, unfortunately, quite common.
> When I worked for a cloud hosting provider, the DDoS "victims" tended
> to be fraudulent signups who were doing malicious or anti-social
> things on the net and were not paying customers anyway.
Many DDoS attacks are miscreant-vs.-miscreant, that's certainly true.
Compromised machines are 'attractive nuisances', which is yet another
reason it's important to have visibility into your network traffic (it's
easy to get started with NetFlow and open-source tools).
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG
mailing list