DDOS solution recommendation
david at mailplus.nl
Mon Jan 12 08:29:59 UTC 2015
About trying to hit the mail ports... It is very easy for a domain to set its MX to a random host name. So before you block you might want to check the To-domain in the header of the mail. Otherwise it is too easy to DoS yourself (by planting email addresses in systems, such as mine, and then changing the MX of that domain to your hosts).
MailPlus B.V. Netherlands (ESP)
Van: NANOG [mailto:nanog-bounces at nanog.org] Namens Mike Hammett
Verzonden: Sunday, January 11, 2015 2:46 PM
Aan: Roland Dobbins
CC: nanog at nanog.org
Onderwerp: Re: DDOS solution recommendation
Well there's going to be two sources of the attack... infested clients or machines setup for this purpose (usually in a datacenter somewhere). Enough people blackhole the attacking IPs, those IPs are eventually going to have a very limited view of the Internet. They may not care of it's a server in a datacenter being used to attack, but an infested home PC would care once they can't get to Google, FaceBook, Instagram, whatever.
If the attacker's abuse contact doesn't care, then just brute force of more and more of the Internet being offline to them, they'll figure it out.
You hit my honeypot IPs, blackholed for 30 days. You do a DNS request to my non-DNS servers, blackholed for 30 days. Same goes for NTP, mail, web, etc. You have more than say 5 bad login attempts to my mail server in 5 minutes, blackholed for 30 days. You're trying to access various web pages known for home router or Wordpress exploitation, blackholed for 30 days.
No point in letting troublemakers (manual or scripted) spend more time on the network than necessary. The more people (as a collective or not) that do this, the better.
Intelligent Computing Solutions
----- Original Message -----
From: "Roland Dobbins" <rdobbins at arbor.net>
To: nanog at nanog.org
Sent: Sunday, January 11, 2015 7:24:55 AM
Subject: Re: DDOS solution recommendation
On 11 Jan 2015, at 20:07, Mike Hammett wrote:
> but I'd think that if their network's abuse department was notified,
> either they'd contact the customer about it issue or at least have on
> file that they were notified.
Just because we think something, that doesn't make it true.
> The way to stop this stuff is for those millions of end users to clean
> up their infected PCs.
You may want to do some reading on this topic in order to gain a better understanding of the issues involved:
Some of us have been dealing with DDoS attacks for a couple of decades, now. If it were a simple problem, we would've solved it long ago.
Here's a hint: scale alone makes any problem literally orders of magnitude more difficult than any given instance thereof.
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG