[185656] in North American Network Operators' Group
Re: DDoS Mitigation
daemon@ATHENA.MIT.EDU (Pavel Odintsov)
Thu Nov 5 03:51:00 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <CAL9jLaY15KDufQxje=6SudU6iNhpKw0+hNVJB_ibZN4jnkovVA@mail.gmail.com>
Date: Thu, 5 Nov 2015 11:50:56 +0300
From: Pavel Odintsov <pavel.odintsov@gmail.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hello, Christopher!
Could you share "there are quite a few in the US that will filter
traffic like this for you" off-list?
On Thu, Nov 5, 2015 at 3:27 AM, Christopher Morrow
<morrowc.lists@gmail.com> wrote:
> a short answer for the OP is: "Find an ISP that will actually support you=
"
>
> there are quite a few in the US that will filter traffic like this for
> you (vzb will) on demand, provided the traffic is service impacting
> and NOT 'victoria secret runway show' traffic.
>
> alternately you could find an ISP that has a mitigation service (vzb,
> att, ntt, sprint i think still does) and move your links there.
>
> All of those are cheaper when under attack than the off-netork
> solutions (generally).
>
> On Thu, Nov 5, 2015 at 9:12 AM, Tin, James <jtin@akamai.com> wrote:
>> This is my first post to Nanog. So please don't flame me down ;)
>>
>> Hi Mario.
>>
>> Typically the cost of Ddos mitigation is charged on the amount of clean =
traffic inbound to your network, the number of protected /24 ranges you nee=
d protected and the number of datacentres you want to protect.
>>
>> Ideally the Ddos mitigation solution should block attacks as close as po=
ssible to the source of the attack. One good way of doing this is by levera=
ging anycast from multiple scrubbing centres and ensure there is enough bac=
kbone bandwidth between each scrubbing centre to deliver clean traffic.
>>
>> Blocking it at your upstream transit provider may be too late for signif=
icant attacks as any service provider between you and the source could blac=
k hole the traffic before it gets to your peers. This results in legitimate=
traffic not being able to reach your network.
>>
>> Paras is correct, attacks could be on any port and often multivector and=
change within an attack campaign if attackers see one vector is not effect=
ive. So each attack really needs to be dealt with dynamically to ensure the=
re are no false positives (something is blocked when it shouldn't be)
>>
>> Unfortunately it is very simple to intimate a Ddos attack, but the cost =
of mitigation is very high. So the solution you choose really depends on th=
e monetary cost of the outages, clients you have and whether the cost can b=
e amortised over your client base.
>>
>> I have seen service providers offer premium hosting services which have =
Ddos mitigation, using separate infrastructure and links to their normal cu=
stomers. This reduces the cost of mitigation while also containing the risk=
s and the collateral damage.
>>
>> There are also different Ddos mitigation solutions depending on the serv=
ice protocols your are offering. Ie web traffic could be mitigated with cdn=
vs all protocols and ports with BGP via a scrubbing centre.
>>
>> Sent from my iPhone
>> James Tin
>> Enterprise Security Architect APJ
>> Join the Conversation.
>> Log on to Akamai Community. [http://www.akamai.com/images/img/commun=
ity-icon-large.png] <https://community.akamai.com/>
>>
>> [http://www.akamai.com/images/img/bg/akamai-logo.png]<http://www.akamai.=
com/>
>>
>> Office: +<tel:+1.617.444.1234>61 9008 4906
>> Cell: +<tel:+1.617.444.1234>61 466 961 555
>> Akamai Technologies
>> Level 7, 76 Berry St
>> North Sydney, NSW 2071
>>
>> Connect with Us: [http://www.akamai.com/images/img/akamai-communi=
ty-icon.jpg] <https://community.akamai.com/> [http://www.akamai.com/graphi=
cs/misc/rs_icon_small.png] <http://blogs.akamai.com/> [http://www.akamai.c=
om/graphics/misc/tw_icon_small.png] <https://twitter.com/akamai> [http://w=
ww.akamai.com/graphics/misc/fb_icon_small.png] <http://www.facebook.com/Aka=
maiTechnologies> [http://www.akamai.com/graphics/misc/in_icon_small.png] <=
http://www.linkedin.com/company/akamai-technologies> [http://www.akamai.co=
m/graphics/misc/yt_icon_small.png] <http://www.youtube.com/user/akamaitechn=
ologies?feature=3Dresults_main>
>>
>>
>>
>>
>> On 5 Nov 2015, at 05:13, Paras <paras@protrafsolutions.com<mailto:paras@=
protrafsolutions.com>> wrote:
>>
>> Hey,
>>
>> Just blocking port 19 won't cut it, as we often see Chargen attacks that=
run on nonstandard ports as well
>>
>> Thanks,
>> Paras
>>
>> On 11/4/2015 12:33 PM, Mario Eirea wrote:
>> Hello everyone,
>>
>> Looking to find out how the pricing model works for DDoS mitigation and =
what to expect as far as ballpark pricing from my ISP. Some background, we =
are getting hit with a chargen attack that comes and goes and is saturating=
our 500mb connection. Tried hitting up the ISP for UDP block on 19 but the=
y want us to go through our rep, in the process making this go on longer th=
at is necessary. Any feedback would be appreciated.
>>
>> Thanks,
>>
>> -ME
>>
>>
--=20
Sincerely yours, Pavel Odintsov
