DDoS auto-mitigation best practices (for eyeball networks)

frnkblk at iname.com frnkblk at iname.com
Mon Sep 21 12:00:14 UTC 2015

99% of the attacks we see are gaming related -- somehow the other players
know the IP and then attack our customer for an advantage in the game, or

Most DHCP servers (correctly) give the same IP address if the CPE is
rebooted.  Ours are one of those. =)


-----Original Message-----
From: Mehmet Akcin [mailto:mehmet at akcin.net] 
Sent: Saturday, September 19, 2015 3:10 PM
To: Frank Bulk <frnkblk at iname.com>
Cc: nanog at nanog.org
Subject: Re: DDoS auto-mitigation best practices (for eyeball networks)

How does he/she become target? How does IP address gets exposed?

I guess simplest way is to reboot modem and hope to get new ip (or call n


> On Sep 19, 2015, at 12:54, Frank Bulk <frnkblk at iname.com> wrote:
> Could the community share some DDoS auto-mitigation best practices for
> eyeball networks, where the target is a residential broadband subscriber?
> I'm not asking so much about the customer communication as much as
> configuration of any thresholds or settings, such as:
> - minimum traffic volume before responding (for volumetric attacks)
> - minimum time to wait before responding
> - filter percentage: 100% of the traffic toward target (or if volumetric,
> just a certain percentage)?
> - time before mitigation is automatically removed
> - and if the attack should recur shortly thereafter, time to respond and
> remove again
> - use of an upstream provider(s) mitigation services versus one's own
> mitigation tools
> - network placement of mitigation (presumably upstream as possible)
> - and anything else
> I ask about best practice for broadband subscribers on eyeball networks
> because it's different environment than data center and hosting
> or when one's network is being used to DDoS a target.
> Regards,
> Frank

More information about the NANOG mailing list