Krebs on Security booted off Akamai network after DDoS attack proves pricey

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've heard people say doing BCP38 is hard for big networks and it is if you do it at your provider\peering edges. It's easier if done at the customer edge. Simply don't allow the traffic onto your network to start with. 

Limit the spoofing attacks to just a single random ASN. How much smaller is the attack than it is now with hundreds or thousands of them? 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Ca By" <cb.list6 at gmail.com> 
To: "Jay Farrell" <jayfar at jayfar.com> 
Cc: "North American Network Operators' Group" <nanog at nanog.org> 
Sent: Sunday, September 25, 2016 9:36:18 AM 
Subject: Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey 

On Sunday, September 25, 2016, Jay Farrell via NANOG <nanog at nanog.org> 
wrote: 

> And of course Brian Krebs has a thing or two to say, not the least is which 
> to push for BCP38 (good luck with that, right?). 
> 
> https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/ 
> 
> 

Yeh, bcp38 is not a viable solution. 

As long as their is one spoof capable network on the net, the problem will 
not be solved. While bcp38 is a true bcp, it is not a solution. It will 
not, and has not, moved the needle. 

A solution is aggregating the telemetry of source IP addresses in the 
botnet and assigning blame and liability to the owners of the IP addresses 
/ host ASN. 

The networks can then use AUP to shutdown the bot members. 

As where http://openntpproject.org/ was a proactive approach, Kreb's data 
can be reactive approach. And since the data is evidence of a crime, the 
network operators can enforce the AUP. The attack did happen. This ip was 
involved. Remediation is required. 




>From there, the host ASN can 

> On Sun, Sep 25, 2016 at 12:43 AM, Jay R. Ashworth <jra at baylink.com 
> <javascript:;>> wrote: 
> 
> > ----- Original Message ----- 
> > > From: "Jay Farrell via NANOG" <nanog at nanog.org <javascript:;>> 
> > 
> > > And of course on windows ipconfig /flushdns 
> > > 
> > > Still I had to wait for my corporate caching servers to update; I think 
> > the 
> > > TTL on the old A record was an hour. 
> > 
> > Are big eyeball networks still flooring A record TTLs on resolution? 
> > 
> > Cheers, 
> > -- jra 
> > -- 
> > Jay R. Ashworth Baylink 
> > jra at baylink.com <javascript:;> 
> > Designer The Things I Think RFC 
> > 2100 
> > Ashworth & Associates http://www.bcp38.info 2000 Land 
> > Rover DII 
> > St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 
> > 1274 
> > 
> 

• Previous message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Next message (by thread): Krebs on Security booted off Akamai network after DDoS attack proves pricey
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]