Krebs on Security booted off Akamai network after DDoS attack proves pricey

Christopher Morrow morrowc.lists at
Sat Sep 24 02:42:45 UTC 2016

On Fri, Sep 23, 2016 at 10:13 PM, Jon Lewis <jlewis at> wrote:

> On Fri, 23 Sep 2016, Christopher Morrow wrote:
> On Fri, Sep 23, 2016 at 9:24 PM, Jon Lewis <jlewis at> wrote:
>> On Fri, 23 Sep 2016, Patrick W. Gilmore wrote:
>>> Is CloudFlare able to filter Layer 7 these days? I was under the
>>>> impression CloudFlare was not able to do that.
>>>> There have been a lot of rumors about this attack. Some say reflection,
>>>> others say Layer 7, others say .. other stuff. If it is Layer 7, how are
>>>> you going to ÿÿstep in front of the cannonÿÿ? Would you just pass
>>>> through
>>>> all the traffic?
>>> Anycast + load balancers + high powered varnish?
>>> notionally (because I have been paying zero attention to this) jon's
>> suggesting:
>>  1) setup a crapload of nginx/squid/etc configured tightly for things to
>> be accessed behind them
>>  2) ecmp to them across several layers (assume 32 ecmp at each layer, call
>> it 4 layers get craploads of machines running)
>>  3) change over the dns
>>  4) profit--
>> eh? If you can eat the PPS, you can spray across enough tcp listeners, you
>> can weed out the chaff and start filtering in the 'application'... perhaps
>> also run a 'low bandwidth' version of the target site...
>> hey look, we invented prolexic.
> anycast, I meant BGP anycast, spreading the "target"
> geographically to a dozen or more well connected/peered origins.  At that
> point, your ~600G DDoS might only be around

anycast and tcp? the heck you say! :)

> 50G per site, and at that level, filtering the obvious crap gets much more
> reasonable.  Then, doing the layer 7 scrubbing of the less obvious crap is
> more easily dealt with than a single site receiving 600G of attack traffic.
sure, yes.

> I haven't actually done this (specifically for DDoS mitigation)...just
> speculating as to how it might easily be done given sufficient resources.
> The trouble is, the attackers have virtually unlimited bandwidth, and
> aren't constrained by having to pay for the bandwidth.
sounds like you got it all sorted out...

> ----------------------------------------------------------------------
>  Jon Lewis, MCP :)           |  I route
>                              |  therefore you are
> _________ for PGP public key_________

More information about the NANOG mailing list