[133304] in North American Network Operators' Group
RE: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Drew Weaver)
Wed Dec 8 11:13:11 2010
From: Drew Weaver <drew.weaver@thenap.com>
To: 'Arturo Servin' <arturo.servin@gmail.com>, Jeffrey Lyon
<jeffrey.lyon@blacklotus.net>
Date: Wed, 8 Dec 2010 11:13:01 -0500
In-Reply-To: <2ABCD3A4-E2C6-47ED-89FC-957DE79AE033@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The most common attacks that I have seen over the last 12 months, and let's=
say I have seen a fair share have been easily detectable by the source net=
work.
It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port 0..)
What valid application actually uses UDP 80?
You could literally wipe out a large amount of these attacks by simply filt=
ering this.
-Drew
-----Original Message-----
From: Arturo Servin [mailto:arturo.servin@gmail.com]=20
Sent: Wednesday, December 08, 2010 10:48 AM
To: Jeffrey Lyon
Cc: nanog@nanog.org
Subject: Re: Over a decade of DDOS--any progress yet?
And those are much more complex to detect than SYN attacks or simple flood=
attacks with ICMP.
But even for simple flood attacks, I still think that the target has very =
few defence mechanisms, and those that exists require a complex coordinatio=
n with upstreams.
Cheers,
.as
On 8 Dec 2010, at 13:39, Jeffrey Lyon wrote:
> We have seen a recent trend of attackers "legitimately" purchasing
> servers to use for attacks. They'll setup a front company, attempt to
> make the traffic look legitimate, and then launch attacks from their
> "legitimate" botnet.
>=20
> Jeff
>=20
> On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin <arturo.servin@gmail.com> =
wrote:
>>=20
>> On 8 Dec 2010, at 13:12, nanog-request@nanog.org wrote:
>>=20
>>> Date: Wed, 8 Dec 2010 12:53:51 +0000
>>> From: "Dobbins, Roland" <rdobbins@arbor.net>
>>> Subject: Re: Over a decade of DDOS--any progress yet?
>>> To: North American Operators' Group <nanog@nanog.org>
>>> Message-ID: <BF571AD7-1122-407B-B7FA-77B9BBAC48F7@arbor.net>
>>> Content-Type: text/plain; charset=3D"us-ascii"
>>>=20
>>>=20
>>> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
>>>=20
>>>> One big problem (IMHO) of DDoS is that sources (the host of botne=
ts) may be completely unaware that they are part of a DDoS. I do not mean t=
he bot machine, I mean the ISP connecting those.
>>>=20
>>> The technology exists to detect and classify this attack traffic, and i=
s deployed in production networks today.
>>=20
>> Yes, they do exist. But, is people really filtering out attacks o=
r just watching the attacks going out?
>>=20
>>=20
>>>=20
>>> And of course, the legitimate owners of the botted hosts are generally =
unaware that their machine is being used for nefarious purposes.
>>>=20
>>>> In the other hand the target of a DDoS cannot do anything to stop=
to attack besides adding more BW or contacting one by one the whole path o=
f providers to try to minimize the effect.
>>>=20
>>> Actually, there're lots of things they can do.
>>=20
>> Yes, but all of them rely on your upstreams or in mirroring your =
content. If 100 Mbps are reaching your input interface of 10Mbps there is n=
ot much that you can do.
>>=20
>>>=20
>>>> I know that this has many security concerns, but would it be good=
a signalling protocol between ISPs to inform the sources of a DDoS attack =
in order to take semiautomatic actions to rate-limit the traffic as close a=
s the source? Of course that this is more complex that these three or two l=
ines, but I wonder if this has been considerer in the past.
>>>=20
>>> It already exists.
>>=20
>> If you have an URL would be good. I only found a few research pap=
ers on the topic and RSVP documents but nothing really concrete.
>>=20
>> Regards,
>> -as
>=20
>=20
>=20
> --=20
> Jeffrey Lyon, Leadership Team
> jeffrey.lyon@blacklotus.net | http://www.blacklotus.net
> Black Lotus Communications - AS32421
> First and Leading in DDoS Protection Solutions
