DDoS auto-mitigation best practices (for eyeball networks)

alvin nanog nanogml at Mail.DDoS-Mitigator.net
Sun Sep 20 18:55:16 UTC 2015


On 09/19/15 at 02:54pm, Frank Bulk wrote:
> Could the community share some DDoS auto-mitigation best practices for
> eyeball networks, where the target is a residential broadband subscriber?

o kie dough kie

> I'm not asking so much about the customer communication as much as
> configuration of any thresholds or settings, such as:
> - minimum traffic volume before responding (for volumetric attacks)

i prefer zero tolerance ...

i tarpit all incoming tco-based attacks and probes that was
not allowed incoming tcp traffic to port 25 or port 80 or port blah

example iptables rules ... linux and iptables  + tarpits is free
	# IPtables-BlackList.net/Howto
	- ingress filters
	- allow established 
	- check for blacklist
	- limit udp and icmp reply ( tough problem to solve )
	- allow to port 80 ( keep webserver separate from dns, smtp, etc )
	- tarpit all new tcp incoming connections
	- drop all other new incoming connections

	- there is no need log millions of ddos attack pacekets
	per second unless you want to fill up your disk which
	helps the ddos attacks to be a successful attack

- for icmp and udp ... you will need your ISP to help block it

  limiting incoming icmp/udp is sorta pointless since those
  packets already come down the wire

  however, you still do NOT want to respond to those packets either
  so you will have to limit to just a handful per second, little more
  per hour, and higher limit per day

  for icmp ... turn off broadcast ping responses on all devices

  for udp ... make sure the apps are properly configured
	dns, snmp, ntp, nfs, x11, etc uses udp

	your dns servers might need to be accessible from outside
	all other udp-based servers should be internal only

- to protect against arp-based attacks .... 
	build/patch/configure your hardware/routers/switches properly

- install monitoring tools to watch for whatever you're paranoid about
	- man-in-the-middle .. trivial to detect and prevent
	- sniffers ( hard to detect )

> - minimum time to wait before responding

zero wait ...

> - filter percentage: 100% of the traffic toward target (or if volumetric,
> just a certain percentage)?

you will always, 100% fail volumetric attacks 

> - time before mitigation is automatically removed

you can have iptables remove a particular ddos attacker automatically
or manually

i prefer manually so i can see what it's doing

> - and if the attack should recur shortly thereafter, time to respond and
> remove again

zero wait time  .. zero tolerance per example iptables rules above

> - use of an upstream provider(s) mitigation services versus one's own
> mitigation tools

i haven't found too many ISP willing to allow customers to put
a customer firewall in their facility just before it comes down to 
the wire to customers bldg

this is required if customers want to properly mitigate icmp-based 
and udp-based ddos attacks

> - network placement of mitigation (presumably upstream as possible)
> - and anything else

mitigation solutions should be a gateway firewall and host-based mitigation

if you can install another firewall at the ISP, thats good too
and you still need a gateway firewall and the host based firewall

> I ask about best practice for broadband subscribers on eyeball networks
> because it's different environment than data center and hosting environments
> or when one's network is being used to DDoS a target.

add corp environment, hospitality environment, govt environment, 
etc etc to the list too
	- free wifi, hotel based wifi or hardwire is probably
	the easiest way to send the unsuspecting victim home 
	with a trojan that will phone home ( the attacker )
	when the victim plugs the cracked box into the secure
	corp network

nah.... ddos attacks are ddos attacks ... usually harmless ...
it probably doesn't matter to the attackers what they're attacking 

you are constantly under 24x7x365 low level ddos attacks

if you are being targeted by somebody that wants to get you,
you'd have a problem if they're better at attacking than you 
are at defending your servers ...

they're done if they have a bigger budget to pay for all the 
necessary bandwidth needed to take your servers offline

  - if you know who they are, call the ISP and the cops

-----

other "basic best practices"
- have a good security policy ... even if just for yourself
	hide the laptop in your trunk using a brown bag
	and NOT an obvious laptop bag 
- always use encrypted services... never clear text
	- use ssh, openssl, smtps, pop3s, imap3s 

- dozens of other best practices security rules
	- always have a incremental daily backup that is kept
	for months
	- always have a hot swap backup just in case
	.... etc .. etc ...

----

you should also keep track of who is attacking your servers
so that law enforcement can followup if needed

you should also know which src address might be spoofed and 
which ddos attackers are using their real src ip

	tracing the originating source of spoofed address
	requires the help of the various upstream ISP 

magic pixie dust
alvin
#
# DDoS-Mitigator.com
# IPtables-BlackList.net/Howto
#



More information about the NANOG mailing list