BGP FlowSpec

• Previous message (by thread): BGP FlowSpec
• Next message (by thread): Major IX bandwidth sharing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I was looking into using this mechanism for blocking DDoS on Juniper
devices, but at the time, they only supported 8k flowspec entries/routes
and this was not sufficient to deal with the problem. My fallback was to
poison the routing table with null routes, but the problem with this was
that it didn't address inbound traffic, only the replies.

We ended up ditching all of this in favor of a third party external
scubbing vendor. They tend to prefer big honking boxes running
signatures whereever possible to drop identified malicious traffic.

When you get right down to it, the vendors have a lot of experience
day-to-day performing mitigations, and flowspec (or other BGP
mitigations) are more useful to carriers and ISPs to null out the
destination rather than the source.

Pierre

On 29/04/2016 9:08 AM, dennis wrote:
> 
>     
> Hi
> Amplification attacks and syn floods are just touching the surface of ddos attack vectors.  You should look into some industry reports:
> Here are a couple examples to get you started.
> https://www.radware.com/ert-report-2015/
> http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
> 
> Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone
> 
> -------- Original message --------
> From: Martin Bacher <ti14m028 at technikum-wien.at> 
> Date: 4/29/2016  2:02 AM  (GMT-08:00) 
> To: Tyler Haske <tyler.haske at gmail.com> 
> Cc: NANOG list <nanog at nanog.org> 
> Subject: Re: BGP FlowSpec 
> 
> Hello Tyler,
> 
> thanks for your reply.
> 
>> Am 28.04.2016 um 17:37 schrieb Tyler Haske <tyler.haske at gmail.com>:
>>
>> Martin,
>>
>>
>>> Last but not least: I am also looking for anonymized statistical data about DDoS attacks which I could use in the thesis. I am mainly interested in data about the
>>> type of attacks, attack time, sources, source and destination ports, and so on. I know this something which is generally not shared, so I would really appreciate it if
>>> someone would be able to share such data.
>>
>> Many companies are extremely reluctant to share their attack data. But that's OK, because there are other ways to get it.
>>
>> Have you investigated backscatter analysis? It's used to see ongoing and current Internet scope DDoS attacks.
> I just had a look on that and thought that its only be able to detect some of the attacks. You might not detect large state of the art reflection and amplification attacks with that method. But i think it is useful for some sort of attacks like SYN flood. Do you agree?
> 
>>
>> Inferring Internet Denial of Service Activity
>> https://cseweb.ucsd.edu/~savage/papers/UsenixSec01.pdf
>>
>> Analyzing Large DDoS Attacks Using Multiple Data Sources
>> https://www.cs.utah.edu/~kobus/docs/ddos.lsad.pdf
>>
>> ISP Security - Real World Techniques
>> https://www.nanog.org/meetings/nanog23/presentations/greene.ppt
>>
>> A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a Service Provider Environment
>> https://www.sans.org/reading-room/whitepapers/intrusion/summary-dos-ddos-prevention-monitoring-mitigation-techniques-service-provider-enviro-1212
>>
>> Maybe you have access to some public IPs, then you can do this data collection yourself.
> Sure, I will definitely think about hat.
> 
> Thanks again for your reply and for providing the links.
> 
> Greetings,
> Martin
> 
>>
>> Regards,
>>
>> Tyler
>>
> 
> 

• Previous message (by thread): BGP FlowSpec
• Next message (by thread): Major IX bandwidth sharing
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]