DDOS, IDS, RTBH, and Rate limiting
contact at winterei.se
Sun Nov 9 13:42:57 UTC 2014
I've used the first one, and hacked on the second.
WANGuard, when deployed properly, works amazingly well.
ddosmon is only useful if you have netflow v5 flows (or sflow that can
get converted to nfv5), but also works well when coupled with exabgp /
I added some per ip limiting / exemption features to it (which may or
may not work, I no longer use it. We've moved to something in house) --
available on this fork (https://github.com/Wintereise/ddosmon-mod)
The atheme framework it's built on is fairly easy to extend as well.
But yeah, automated rtbh is really easy (and cheap!) to do these days.
On 11/9/2014 午前 11:56, srn.nanog at prgmr.com wrote:
> I have no idea if any of them actually work.
> On 11/08/2014 05:10 PM, Eric C. Miller wrote:
>> Today, we experienced (3) separate DDoS attacks from Eastern Asia, all generating > 2Gbps towards a single IP address in our network. All 3 attacks targeted different IP addresses with dst UDP 19, and the attacks lasted for about 5 minutes and stopped as fast as they started.
>> Does anyone have any suggestions for mitigating these type of attacks?
>> A couple of things that we've done already...
>> We set up BGP communities with our upstreams, and tested that RTBH can be set and it does work. However, by the time that we are able to trigger the black hole, the attack is almost always over.
>> For now, we've blocked UDP 19 incoming at our edge, so that if future, similar attacks occur, it doesn't affect our internal links.
>> What I think that I need is an IDS that can watch our edge traffic and automatically trigger a block hole advertisement for any internal IP beginning to receive > 100Mbps of traffic. A few searches are initially coming up dry...
>> Eric Miller, CCNP
>> Network Engineering Consultant
>> (407) 257-5115
More information about the NANOG