[133298] in North American Network Operators' Group
Re: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Jeffrey Lyon)
Wed Dec 8 10:41:19 2010
In-Reply-To: <DFF540B5-2621-4C98-927A-D129EE677E11@gmail.com>
Date: Wed, 8 Dec 2010 10:39:26 -0500
From: Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
To: Arturo Servin <arturo.servin@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We have seen a recent trend of attackers "legitimately" purchasing
servers to use for attacks. They'll setup a front company, attempt to
make the traffic look legitimate, and then launch attacks from their
"legitimate" botnet.
Jeff
On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin <arturo.servin@gmail.com> wr=
ote:
>
> On 8 Dec 2010, at 13:12, nanog-request@nanog.org wrote:
>
>> Date: Wed, 8 Dec 2010 12:53:51 +0000
>> From: "Dobbins, Roland" <rdobbins@arbor.net>
>> Subject: Re: Over a decade of DDOS--any progress yet?
>> To: North American Operators' Group <nanog@nanog.org>
>> Message-ID: <BF571AD7-1122-407B-B7FA-77B9BBAC48F7@arbor.net>
>> Content-Type: text/plain; charset=3D"us-ascii"
>>
>>
>> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
>>
>>> =A0 =A0 =A0One big problem (IMHO) of DDoS is that sources (the host of =
botnets) may be completely unaware that they are part of a DDoS. I do not m=
ean the bot machine, I mean the ISP connecting those.
>>
>> The technology exists to detect and classify this attack traffic, and is=
deployed in production networks today.
>
> =A0 =A0 =A0 =A0Yes, they do exist. But, is people really filtering out at=
tacks or just watching the attacks going out?
>
>
>>
>> And of course, the legitimate owners of the botted hosts are generally u=
naware that their machine is being used for nefarious purposes.
>>
>>> =A0 =A0 =A0In the other hand the target of a DDoS cannot do anything to=
stop to attack besides adding more BW or contacting one by one the whole p=
ath of providers to try to minimize the effect.
>>
>> Actually, there're lots of things they can do.
>
> =A0 =A0 =A0 =A0Yes, but all of them rely on your upstreams or in mirrorin=
g your content. If 100 Mbps are reaching your input interface of 10Mbps the=
re is not much that you can do.
>
>>
>>> =A0 =A0 =A0I know that this has many security concerns, but would it be=
good a signalling protocol between ISPs to inform the sources of a DDoS at=
tack in order to take semiautomatic actions to rate-limit the traffic as cl=
ose as the source? Of course that this is more complex that these three or =
two lines, but I wonder if this has been considerer in the past.
>>
>> It already exists.
>
> =A0 =A0 =A0 =A0If you have an URL would be good. I only found a few resea=
rch papers on the topic and RSVP documents but nothing really concrete.
>
> Regards,
> -as
--=20
Jeffrey Lyon, Leadership Team
jeffrey.lyon@blacklotus.net | http://www.blacklotus.net
Black Lotus Communications - AS32421
First and Leading in DDoS Protection Solutions
