DDOS solution recommendation

Scott Fisher littlefishguy at gmail.com
Mon Jan 12 21:51:58 UTC 2015

In looking at this thread, it's apparent that some are trying to
over-simplify a not-so-simple problem. As someone brought out earlier,
there is no silver bullet to fix for several reasons. Some reasons
that I can come up with at the top of my head are:

1) DDOS types vary.
2) Not every network is the same (shocker I know)
3) Time/Money - not every company has the same budget (again, shocker)
4) Staff/Resources - Not every company have admin/engineers at
different technical levels. So someone may decide on blocking an
attack at different levels because "that's what they know." EG:
wordpress guy blocks attacks at the webserver level, an admin blocks
it at the system, network admin at the edge.

The questions should be much more narrow. "How should I mitigate an
NTP reflection" or "what are common mistakes people make when
mitigating attacks" are questions that more specific that all can
glean from.


On Mon, Jan 12, 2015 at 4:35 PM, Mike Hammett <nanog at ics-il.net> wrote:
> So the preferred alternative is to simply do nothing at all? That seems fair.
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
> ----- Original Message -----
> From: "Christopher Morrow" <morrowc.lists at gmail.com>
> To: "Brandon Ross" <bross at pobox.com>
> Cc: "Mike Hammett" <nanog at ics-il.net>, "NANOG list" <nanog at nanog.org>
> Sent: Monday, January 12, 2015 3:05:14 PM
> Subject: Re: DDOS solution recommendation
> On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross <bross at pobox.com> wrote:
>> On Sun, 11 Jan 2015, Mike Hammett wrote:
>>> I know that UDP can be spoofed, but it's not likely that the SSH, mail,
>>> etc. login attempts, web page hits, etc. would be spoofed as they'd have to
>>> know the response to be of any good.
>> Okay, so I'm curious. Are you saying that you do not automatically block
>> attackers until you can confirm a 3-way TCP handshake has been completed,
>> and therefore you aren't blocking sources that were spoofed? If so, how are
>> you protecting yourself against SYN attacks? If not, then you've made it
>> quite easy for attackers to deny any source they want.
> this all seems like a fabulous conversation we're watching, but really
> .. if someone wants to block large swaths of the intertubes on their
> systems it's totally up to them, right? They can choose to not be
> functional all they want, as near as I can tell... and arguing with
> someone with this mentality isn't productive, especially after several
> (10+? folk) have tried to show and tell some experience that would
> lead to more cautious approaches.
> If mike wants less packets, that's all cool... I'm not sure it's
> actually solving anything, but sure, go right ahead, have fun.
> -chris


More information about the NANOG mailing list