DDoS auto-mitigation best practices (for eyeball networks)

• Previous message (by thread): DDoS auto-mitigation best practices (for eyeball networks)
• Next message (by thread): DDoS auto-mitigation best practices (for eyeball networks)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Most video games utilize peer-to-peer traffic (which is why many require
port forwarding/UPnP), so the attacker has the IP addresses of all of their
peers in their firewall logs. There are even 'gaming routers' that
specialize in gaming this peer-to-peer system for competitive advantages,
such as specifically blocking the IPs of players you don't want to play
against:

https://netduma.com/why/for-gamers/

Once an attacker has identified his target, getting the IP is as simple as
joining/being in an online game with that player.

On Mon, Sep 21, 2015 at 5:00 AM, <frnkblk at iname.com> wrote:

> 99% of the attacks we see are gaming related -- somehow the other players
> know the IP and then attack our customer for an advantage in the game, or
> retribution.
>
> Most DHCP servers (correctly) give the same IP address if the CPE is
> rebooted.  Ours are one of those. =)
>
> Frank
>
> -----Original Message-----
> From: Mehmet Akcin [mailto:mehmet at akcin.net]
> Sent: Saturday, September 19, 2015 3:10 PM
> To: Frank Bulk <frnkblk at iname.com>
> Cc: nanog at nanog.org
> Subject: Re: DDoS auto-mitigation best practices (for eyeball networks)
>
> How does he/she become target? How does IP address gets exposed?
>
> I guess simplest way is to reboot modem and hope to get new ip (or call n
> request)
>
> Mehmet
>
> > On Sep 19, 2015, at 12:54, Frank Bulk <frnkblk at iname.com> wrote:
> >
> > Could the community share some DDoS auto-mitigation best practices for
> > eyeball networks, where the target is a residential broadband subscriber?
> > I'm not asking so much about the customer communication as much as
> > configuration of any thresholds or settings, such as:
> > - minimum traffic volume before responding (for volumetric attacks)
> > - minimum time to wait before responding
> > - filter percentage: 100% of the traffic toward target (or if volumetric,
> > just a certain percentage)?
> > - time before mitigation is automatically removed
> > - and if the attack should recur shortly thereafter, time to respond and
> > remove again
> > - use of an upstream provider(s) mitigation services versus one's own
> > mitigation tools
> > - network placement of mitigation (presumably upstream as possible)
> > - and anything else
> >
> > I ask about best practice for broadband subscribers on eyeball networks
> > because it's different environment than data center and hosting
> environments
> > or when one's network is being used to DDoS a target.
> >
> > Regards,
> >
> > Frank
> >
>
>
>

• Previous message (by thread): DDoS auto-mitigation best practices (for eyeball networks)
• Next message (by thread): DDoS auto-mitigation best practices (for eyeball networks)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]