[177281] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sun Jan 11 15:49:25 2015
X-Original-To: nanog@nanog.org
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <3B1A3D80-278A-47D1-87E7-D9E7860186F1@gt86car.org.uk>
Date: Sun, 11 Jan 2015 15:47:20 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 11, 2015, at 15:28 , Colin Johnston <colinj@gt86car.org.uk> =
wrote:
>=20
> unfortunately chinanet antispam/abuse email box is always full, after =
a while people block .
> always check arin/ripe for known good provider blocks and actively =
exclude from rules
They aren't the only ones who never reply to abuse@.
> ddos protection via careful overview ips rules and active web source =
ip monitoring works well, the hard part is daily rule updates and blocks =
until you know most traffic is genuine.
No one is advocating "never block anything".
However, automatic blocking based on a single DNS packet to a non-DNS =
server is .. let's call it counterproductive.
Good hygiene is necessary both on outgoing packets and on blocking. =
Checking ARIN/RIPE (not APNIC, LACNIC, AFRINIC?) is not even the bare =
minimum you should be doing.
--=20
TTFN,
patrick
>> On 11 Jan 2015, at 19:42, "Patrick W. Gilmore" <patrick@ianai.net> =
wrote:
>>=20
>> I do love solutions which open larger attack surfaces than they are =
supposed to close. In the US, we call that "a cure worse than the =
disease".
>>=20
>> Send packet from random bot with source of Google, Comcast, Akamai, =
etc. to Mr. Hammett's not-DNS / honeypot / whatever, and watch him close =
himself off from the world.
>>=20
>> Voil=C3=A0! Denial of service accomplished without all the hassle of =
sending 100s of Gbps of traffic.
>>=20
>> Best part is he was willing to explain this to 10,000+ of his =
not-so-closest friends, in a search-engine-indexed manner.
>>=20
>> --=20
>> TTFN,
>> patrick
>>=20
>>> On Jan 11, 2015, at 14:34 , Phil Bedard <bedard.phil@gmail.com> =
wrote:
>>>=20
>>> Many attacks can use spoofed source IPs, so who are you really =
blocking? =20
>>>=20
>>> That's why BCP38 as mentioned many times already is a necessary tool =
in=20
>>> fighting the attacks overall. =20
>>>=20
>>> Phil=20
>>>=20
>>>=20
>>>=20
>>>=20
>>>> On 1/11/15, 4:33 PM, "Mike Hammett" <nanog@ics-il.net> wrote:
>>>>=20
>>>> I didn't necessarily think I was shattering minds with my ideas.=20
>>>>=20
>>>> I don't have the time to read a dozen presentations.=20
>>>>=20
>>>> Blackhole them and move on. I don't care whose feelings I hurt. =
This=20
>>>> isn't kindergarten. Maybe "you" should have tried a little harder =
to not=20
>>>> get a virus in the first place. Quit clicking on male enhancement =
ads or=20
>>>> update your OS occasionally. I'm not going to spend a bunch of time =
and=20
>>>> money to make sure someone's bubble of bliss doesn't get popped. =
Swift,=20
>>>> effective, cheap. Besides, you're only cut off for 30 days. If in =
30 days=20
>>>> you can prove yourself to be responsible, we can try this again. =
Well,=20
>>>> that or a sufficient support request.=20
>>>>=20
>>>> Besides, if enough people did hat, the list of blackholes wouldn't =
be=20
>>>> huge as someone upstream already blocked them.=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> -----=20
>>>> Mike Hammett=20
>>>> Intelligent Computing Solutions=20
>>>> http://www.ics-il.com=20
>>>>=20
>>>>=20
>>>>=20
>>>> ----- Original Message -----
>>>>=20
>>>> From: "Roland Dobbins" <rdobbins@arbor.net>=20
>>>> To: nanog@nanog.org=20
>>>> Sent: Sunday, January 11, 2015 9:29:33 AM=20
>>>> Subject: Re: DDOS solution recommendation=20
>>>>=20
>>>>=20
>>>>> On 11 Jan 2015, at 22:21, Mike Hammett wrote:=20
>>>>>=20
>>>>> I'm not saying what you're doing is wrong, I'm saying whatever the=20=
>>>>> industry as a whole is doing obviously isn't working and perhaps a=20=
>>>>> different approach is required.
>>>>=20
>>>> You haven't recommended anything new, and you really need to do =
some=20
>>>> reading in order to understand why it isn't as simple as you seem =
to=20
>>>> think it is.=20
>>>>=20
>>>>> Security teams? My network has me, myself and I.
>>>>=20
>>>> And a relatively small network, too.=20
>>>>=20
>>>>> If for example ChinaNet's abuse department isn't doing anything =
about=20
>>>>> complains, eventually their whole network gets blocked a /32 at a=20=
>>>>> time. *shrugs* Their loss.
>>>>=20
>>>> Again, it isn't that simple.=20
>>>>=20
>>>> -----------------------------------=20
>>>> Roland Dobbins <rdobbins@arbor.net>
>>=20
