[175936] in North American Network Operators' Group
Re: DDOS, IDS, RTBH, and Rate limiting
daemon@ATHENA.MIT.EDU (Tim Raphael)
Sat Nov 8 20:38:20 2014
X-Original-To: nanog@nanog.org
From: Tim Raphael <raphael.timothy@gmail.com>
In-Reply-To: <DC85D08B84BB854086E9524DAB67D1871613B320@Teriwood.miller.local>
Date: Sun, 9 Nov 2014 09:38:09 +0800
To: "Eric C. Miller" <eric@ericheather.com>
Cc: "NANOG \(nanog@nanog.org\)" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Check out Arbour Networks, they produce a range of DDoS scrubbing appliances=
that do pretty much what you want.
Regards,
Tim Raphael
> On 9 Nov 2014, at 9:10 am, Eric C. Miller <eric@ericheather.com> wrote:
>=20
> Today, we experienced (3) separate DDoS attacks from Eastern Asia, all gen=
erating > 2Gbps towards a single IP address in our network. All 3 attacks ta=
rgeted different IP addresses with dst UDP 19, and the attacks lasted for ab=
out 5 minutes and stopped as fast as they started.
>=20
> Does anyone have any suggestions for mitigating these type of attacks?
>=20
> A couple of things that we've done already...
>=20
> We set up BGP communities with our upstreams, and tested that RTBH can be s=
et and it does work. However, by the time that we are able to trigger the bl=
ack hole, the attack is almost always over.
>=20
> For now, we've blocked UDP 19 incoming at our edge, so that if future, sim=
ilar attacks occur, it doesn't affect our internal links.
>=20
> What I think that I need is an IDS that can watch our edge traffic and aut=
omatically trigger a block hole advertisement for any internal IP beginning t=
o receive > 100Mbps of traffic. A few searches are initially coming up dry..=
.
>=20
>=20
>=20
> Eric Miller, CCNP
> Network Engineering Consultant
> (407) 257-5115
>=20
>=20
>=20
