[177256] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sun Jan 11 08:50:31 2015
X-Original-To: nanog@nanog.org
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <22194530.1736.1420983994911.JavaMail.mhammett@ThunderFuck>
Date: Sun, 11 Jan 2015 08:50:22 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I agree with lots said here.
But I've said for years (despite some people saying I am confused) that =
BCP38 is the single most important thing we can do to cut DDoS.
No spoofed source means no amplification. It also stops things like =
Kaminsky DNS attacks.
There is no silver bullet. Security is a series of steps ("layers" as =
one highly respected security professional has in his .sig). But the =
most important layer, the biggest bang for the buck we can do today, is =
eliminated spoofed source.
Push on your providers. Stop paying for transit from networks that do =
not filter ingress, put it in your RFPs, and reward those who do with =
contracts. Make it economically advantageous to fix the problem, and =
people will.
--=20
TTFN,
patrick
> On Jan 11, 2015, at 08:46 , Mike Hammett <nanog@ics-il.net> wrote:
>=20
> Well there's going to be two sources of the attack... infested clients =
or machines setup for this purpose (usually in a datacenter somewhere). =
Enough people blackhole the attacking IPs, those IPs are eventually =
going to have a very limited view of the Internet. They may not care of =
it's a server in a datacenter being used to attack, but an infested home =
PC would care once they can't get to Google, FaceBook, Instagram, =
whatever.=20
>=20
> If the attacker's abuse contact doesn't care, then just brute force of =
more and more of the Internet being offline to them, they'll figure it =
out.=20
>=20
> You hit my honeypot IPs, blackholed for 30 days. You do a DNS request =
to my non-DNS servers, blackholed for 30 days. Same goes for NTP, mail, =
web, etc. You have more than say 5 bad login attempts to my mail server =
in 5 minutes, blackholed for 30 days. You're trying to access various =
web pages known for home router or Wordpress exploitation, blackholed =
for 30 days.=20
>=20
> No point in letting troublemakers (manual or scripted) spend more time =
on the network than necessary. The more people (as a collective or not) =
that do this, the better.=20
>=20
>=20
>=20
>=20
> -----=20
> Mike Hammett=20
> Intelligent Computing Solutions=20
> http://www.ics-il.com=20
>=20
>=20
>=20
> ----- Original Message -----
>=20
> From: "Roland Dobbins" <rdobbins@arbor.net>=20
> To: nanog@nanog.org=20
> Sent: Sunday, January 11, 2015 7:24:55 AM=20
> Subject: Re: DDOS solution recommendation=20
>=20
>=20
> On 11 Jan 2015, at 20:07, Mike Hammett wrote:=20
>=20
>> but I'd think that if their network's abuse department was notified,=20=
>> either they'd contact the customer about it issue or at least have on=20=
>> file that they were notified.=20
>=20
> Just because we think something, that doesn't make it true.=20
>=20
> ;>=20
>=20
>> The way to stop this stuff is for those millions of end users to =
clean=20
>> up their infected PCs.=20
>=20
> You may want to do some reading on this topic in order to gain a =
better=20
> understanding of the issues involved:=20
>=20
> <https://app.box.com/s/4h2l6f4m8is6jnwk28cg>=20
>=20
> Some of us have been dealing with DDoS attacks for a couple of =
decades,=20
> now. If it were a simple problem, we would've solved it long ago.=20
>=20
> Here's a hint: scale alone makes any problem literally orders of=20
> magnitude more difficult than any given instance thereof.=20
>=20
> -----------------------------------=20
> Roland Dobbins <rdobbins@arbor.net>=20
