DDOS solution recommendation
nanog at ics-il.net
Sun Jan 11 14:46:40 UTC 2015
Is anyone maintaining a list of good, bad and ugly providers in terms of how seriously they take things they should like BCP38 and community support and whatever else that's quantifiable?
Intelligent Computing Solutions
----- Original Message -----
From: "Patrick W. Gilmore" <patrick at ianai.net>
To: "NANOG list" <nanog at nanog.org>
Sent: Sunday, January 11, 2015 7:50:22 AM
Subject: Re: DDOS solution recommendation
I agree with lots said here.
But I've said for years (despite some people saying I am confused) that BCP38 is the single most important thing we can do to cut DDoS.
No spoofed source means no amplification. It also stops things like Kaminsky DNS attacks.
There is no silver bullet. Security is a series of steps ("layers" as one highly respected security professional has in his .sig). But the most important layer, the biggest bang for the buck we can do today, is eliminated spoofed source.
Push on your providers. Stop paying for transit from networks that do not filter ingress, put it in your RFPs, and reward those who do with contracts. Make it economically advantageous to fix the problem, and people will.
> On Jan 11, 2015, at 08:46 , Mike Hammett <nanog at ics-il.net> wrote:
> Well there's going to be two sources of the attack... infested clients or machines setup for this purpose (usually in a datacenter somewhere). Enough people blackhole the attacking IPs, those IPs are eventually going to have a very limited view of the Internet. They may not care of it's a server in a datacenter being used to attack, but an infested home PC would care once they can't get to Google, FaceBook, Instagram, whatever.
> If the attacker's abuse contact doesn't care, then just brute force of more and more of the Internet being offline to them, they'll figure it out.
> You hit my honeypot IPs, blackholed for 30 days. You do a DNS request to my non-DNS servers, blackholed for 30 days. Same goes for NTP, mail, web, etc. You have more than say 5 bad login attempts to my mail server in 5 minutes, blackholed for 30 days. You're trying to access various web pages known for home router or Wordpress exploitation, blackholed for 30 days.
> No point in letting troublemakers (manual or scripted) spend more time on the network than necessary. The more people (as a collective or not) that do this, the better.
> Mike Hammett
> Intelligent Computing Solutions
> ----- Original Message -----
> From: "Roland Dobbins" <rdobbins at arbor.net>
> To: nanog at nanog.org
> Sent: Sunday, January 11, 2015 7:24:55 AM
> Subject: Re: DDOS solution recommendation
> On 11 Jan 2015, at 20:07, Mike Hammett wrote:
>> but I'd think that if their network's abuse department was notified,
>> either they'd contact the customer about it issue or at least have on
>> file that they were notified.
> Just because we think something, that doesn't make it true.
>> The way to stop this stuff is for those millions of end users to clean
>> up their infected PCs.
> You may want to do some reading on this topic in order to gain a better
> understanding of the issues involved:
> Some of us have been dealing with DDoS attacks for a couple of decades,
> now. If it were a simple problem, we would've solved it long ago.
> Here's a hint: scale alone makes any problem literally orders of
> magnitude more difficult than any given instance thereof.
> Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG