Ransom DDoS attack - need help!

alvin nanog nanogml at Mail.DDoS-Mitigator.net
Fri Dec 4 14:15:22 UTC 2015

hi ya roland

On 12/04/15 at 11:09am, Roland Dobbins wrote:
> On 4 Dec 2015, at 9:34, alvin nanog wrote:
> >all that tcpdump jibberish
> Is entirely unnecessary, as well as being completely impractical on a
> network of any size.

up to a point, probing around at the packet level is un-necessary depending
on what one is looking for as the end result

> Reasonable network access policies for the entities under attack plus flow
> telemetry collection/analysis, S/RTBH, and/or flowspec are a good start,
> along with this:

flows may address some of the DDoS issues but might not cover all
the various DDoS attacks and mitigation options and still stay within the
victims possibly non-existent DDoS mitigation budgets

> This business of attempting to use packet captures for everything is the
> equivalent of your doctor attempting to diagnose the reason you're running a
> fever by using an electron microscope.

sometimes, one does need to be able to crawl, before walking, before
running track vs running marathons or find someone that can run for you

in the case of ddos mitigation, no one solution can mitigate against all
the possible various attacks... mitigation is a multi-layered solutions

- who-what-when-where-how-why-etc:

- one does need to know what servers, ports and hw is being attacked

  it makes DDoS mitigation a lot easier if you know what is under attack
  and orders of magnitude less expensive to mitigate

- one does need to know who is attacking

  if one cannot defend against low level script kiddie ddos attacks, 
  it's unlikely one will survive a ddos attacks from a more skilled attacker
  determined to take out a server or break in etc

  if you can and have defended against all the basic script kiddie ddos attacks,
  then it might make it easier to find the next set of the various
  ddos mitigation options you need to take 

- one does need to know how often, what time, they are attacking

  if they are attacking after hours, some folks might not care compared
  to they attacking during regular business hours

- one does need to know how much traffic the attacks are costing you
  in terms of time and loss of productivity due to wasted bandwidth

  even at 10% of your bandwidth used up by useless DDoS traffic is still
  noticibly annoying if you were to looking to increase network performance

- nobody can really say why they are attacking, other than are you
  a low level fruit for easy picking or a target'd victim for
  many reasons ( paid ransom before, high profile servers, a bank, 
  govt servers, etc ) .. pay once and all the other DDoS ransom attackers
  will come knocking to collect their share

> Start with the BCPs, then move to the macroanalytical.  Only dip into the
> microanalytical when required, and even then, do so very selectively.

yup... selective and escalate the migitation process and procedure

magix pixie dust

More information about the NANOG mailing list