[175949] in North American Network Operators' Group
Re: DDOS, IDS, RTBH, and Rate limiting
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Sat Nov 8 22:50:56 2014
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: "NANOG (nanog@nanog.org)" <nanog@nanog.org>
Date: Sun, 09 Nov 2014 10:50:42 +0700
In-Reply-To: <Pine.LNX.4.61.1411082230090.10544@soloth.lewis.org>
Errors-To: nanog-bounces@nanog.org
On 9 Nov 2014, at 10:37, Jon Lewis wrote:
> I'm sure it's not always the case, but in my experience as a SP, the
> victim virtually always did something to instigate the attack, and is
> usually someone you don't want as a customer.
This may be a reflection of your experience and customer base, but it
isn't a valid generalization. Legitimate customers are attacked all the
time, for various reasons - including unknowingly having their servers
compromised and used as C&Cs by miscreants, who're then attacked by
other miscreants.
But to say that attacks are 'virtually always' provoked by customers
themselves simply isn't true. DDoS extortion, ideologically-motivated
DDoS attacks, maskirovkas intended as a distraction away from other
activities, simple nihilism, et. al. are, unfortunately, quite common.
> When I worked for a cloud hosting provider, the DDoS "victims" tended
> to be fraudulent signups who were doing malicious or anti-social
> things on the net and were not paying customers anyway.
Many DDoS attacks are miscreant-vs.-miscreant, that's certainly true.
Compromised machines are 'attractive nuisances', which is yet another
reason it's important to have visibility into your network traffic (it's
easy to get started with NetFlow and open-source tools).
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
