[177305] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Colin Johnston)
Mon Jan 12 09:45:04 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <95FAA7BE-A61D-4F9A-8966-E13076AA93F4@ianai.net>
From: Colin Johnston <colinj@gt86car.org.uk>
Date: Sun, 11 Jan 2015 20:28:51 +0000
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
unfortunately chinanet antispam/abuse email box is always full, after a whil=
e people block .
always check arin/ripe for known good provider blocks and actively exclude f=
rom rules
ddos protection via careful overview ips rules and active web source ip moni=
toring works well, the hard part is daily rule updates and blocks until you k=
now most traffic is genuine.
colin
Sent from my iPhone
> On 11 Jan 2015, at 19:42, "Patrick W. Gilmore" <patrick@ianai.net> wrote:
>=20
> I do love solutions which open larger attack surfaces than they are suppos=
ed to close. In the US, we call that "a cure worse than the disease".
>=20
> Send packet from random bot with source of Google, Comcast, Akamai, etc. t=
o Mr. Hammett's not-DNS / honeypot / whatever, and watch him close himself o=
ff from the world.
>=20
> Voil=C3=A0! Denial of service accomplished without all the hassle of sendi=
ng 100s of Gbps of traffic.
>=20
> Best part is he was willing to explain this to 10,000+ of his not-so-close=
st friends, in a search-engine-indexed manner.
>=20
> --=20
> TTFN,
> patrick
>=20
>> On Jan 11, 2015, at 14:34 , Phil Bedard <bedard.phil@gmail.com> wrote:
>>=20
>> Many attacks can use spoofed source IPs, so who are you really blocking? =
=20
>>=20
>> That's why BCP38 as mentioned many times already is a necessary tool in=20=
>> fighting the attacks overall. =20
>>=20
>> Phil=20
>>=20
>>=20
>>=20
>>=20
>>> On 1/11/15, 4:33 PM, "Mike Hammett" <nanog@ics-il.net> wrote:
>>>=20
>>> I didn't necessarily think I was shattering minds with my ideas.=20
>>>=20
>>> I don't have the time to read a dozen presentations.=20
>>>=20
>>> Blackhole them and move on. I don't care whose feelings I hurt. This=20
>>> isn't kindergarten. Maybe "you" should have tried a little harder to not=
=20
>>> get a virus in the first place. Quit clicking on male enhancement ads or=
=20
>>> update your OS occasionally. I'm not going to spend a bunch of time and=20=
>>> money to make sure someone's bubble of bliss doesn't get popped. Swift,=20=
>>> effective, cheap. Besides, you're only cut off for 30 days. If in 30 day=
s=20
>>> you can prove yourself to be responsible, we can try this again. Well,=20=
>>> that or a sufficient support request.=20
>>>=20
>>> Besides, if enough people did hat, the list of blackholes wouldn't be=20=
>>> huge as someone upstream already blocked them.=20
>>>=20
>>>=20
>>>=20
>>>=20
>>> -----=20
>>> Mike Hammett=20
>>> Intelligent Computing Solutions=20
>>> http://www.ics-il.com=20
>>>=20
>>>=20
>>>=20
>>> ----- Original Message -----
>>>=20
>>> From: "Roland Dobbins" <rdobbins@arbor.net>=20
>>> To: nanog@nanog.org=20
>>> Sent: Sunday, January 11, 2015 9:29:33 AM=20
>>> Subject: Re: DDOS solution recommendation=20
>>>=20
>>>=20
>>>> On 11 Jan 2015, at 22:21, Mike Hammett wrote:=20
>>>>=20
>>>> I'm not saying what you're doing is wrong, I'm saying whatever the=20
>>>> industry as a whole is doing obviously isn't working and perhaps a=20
>>>> different approach is required.
>>>=20
>>> You haven't recommended anything new, and you really need to do some=20
>>> reading in order to understand why it isn't as simple as you seem to=20
>>> think it is.=20
>>>=20
>>>> Security teams? My network has me, myself and I.
>>>=20
>>> And a relatively small network, too.=20
>>>=20
>>>> If for example ChinaNet's abuse department isn't doing anything about=20=
>>>> complains, eventually their whole network gets blocked a /32 at a=20
>>>> time. *shrugs* Their loss.
>>>=20
>>> Again, it isn't that simple.=20
>>>=20
>>> -----------------------------------=20
>>> Roland Dobbins <rdobbins@arbor.net>
>=20
