[175932] in North American Network Operators' Group
DDOS, IDS, RTBH, and Rate limiting
daemon@ATHENA.MIT.EDU (Eric C. Miller)
Sat Nov 8 20:10:24 2014
X-Original-To: nanog@nanog.org
From: "Eric C. Miller" <eric@ericheather.com>
To: "NANOG (nanog@nanog.org)" <nanog@nanog.org>
Date: Sun, 9 Nov 2014 01:10:12 +0000
Errors-To: nanog-bounces@nanog.org
Today, we experienced (3) separate DDoS attacks from Eastern Asia, all gene=
rating > 2Gbps towards a single IP address in our network. All 3 attacks ta=
rgeted different IP addresses with dst UDP 19, and the attacks lasted for a=
bout 5 minutes and stopped as fast as they started.
Does anyone have any suggestions for mitigating these type of attacks?
A couple of things that we've done already...
We set up BGP communities with our upstreams, and tested that RTBH can be s=
et and it does work. However, by the time that we are able to trigger the b=
lack hole, the attack is almost always over.
For now, we've blocked UDP 19 incoming at our edge, so that if future, simi=
lar attacks occur, it doesn't affect our internal links.
What I think that I need is an IDS that can watch our edge traffic and auto=
matically trigger a block hole advertisement for any internal IP beginning =
to receive > 100Mbps of traffic. A few searches are initially coming up dry=
...
Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115
