[183877] in North American Network Operators' Group
Re: DDoS auto-mitigation best practices (for eyeball networks)
daemon@ATHENA.MIT.EDU (Mike Hammett)
Sat Sep 19 16:52:01 2015
X-Original-To: nanog@nanog.org
Date: Sat, 19 Sep 2015 15:51:51 -0500 (CDT)
From: Mike Hammett <nanog@ics-il.net>
Cc: nanog@nanog.org
In-Reply-To: <72125B0F-AEC8-48BF-A844-6A2FA49880BB@akcin.net>
Errors-To: nanog-bounces@nanog.org
Often it's an argument in some sort of online game or a poor loser.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest Internet Exchange
http://www.midwest-ix.com
----- Original Message -----
From: "Mehmet Akcin" <mehmet@akcin.net>
To: "Frank Bulk" <frnkblk@iname.com>
Cc: nanog@nanog.org
Sent: Saturday, September 19, 2015 3:09:47 PM
Subject: Re: DDoS auto-mitigation best practices (for eyeball networks)
How does he/she become target? How does IP address gets exposed?
I guess simplest way is to reboot modem and hope to get new ip (or call n request)
Mehmet
> On Sep 19, 2015, at 12:54, Frank Bulk <frnkblk@iname.com> wrote:
>
> Could the community share some DDoS auto-mitigation best practices for
> eyeball networks, where the target is a residential broadband subscriber?
> I'm not asking so much about the customer communication as much as
> configuration of any thresholds or settings, such as:
> - minimum traffic volume before responding (for volumetric attacks)
> - minimum time to wait before responding
> - filter percentage: 100% of the traffic toward target (or if volumetric,
> just a certain percentage)?
> - time before mitigation is automatically removed
> - and if the attack should recur shortly thereafter, time to respond and
> remove again
> - use of an upstream provider(s) mitigation services versus one's own
> mitigation tools
> - network placement of mitigation (presumably upstream as possible)
> - and anything else
>
> I ask about best practice for broadband subscribers on eyeball networks
> because it's different environment than data center and hosting environments
> or when one's network is being used to DDoS a target.
>
> Regards,
>
> Frank
>
