[186208] in North American Network Operators' Group
Re: Ransom DDoS attack - need help!
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Thu Dec 3 23:09:10 2015
X-Original-To: nanog@nanog.org
From: "Roland Dobbins" <rdobbins@arbor.net>
To: NANOG <nanog@nanog.org>
Date: Fri, 04 Dec 2015 11:09:02 +0700
In-Reply-To: <20151204023442.GA9156@Mail.DDoS-Mitigator.net>
Errors-To: nanog-bounces@nanog.org
On 4 Dec 2015, at 9:34, alvin nanog wrote:
> all that tcpdump jibberish
Is entirely unnecessary, as well as being completely impractical on a
network of any size.
Reasonable network access policies for the entities under attack plus
flow telemetry collection/analysis, S/RTBH, and/or flowspec are a good
start, along with this:
<http://www.merit.edu/mail.archives/nanog/msg03776.html>
This business of attempting to use packet captures for everything is the
equivalent of your doctor attempting to diagnose the reason you're
running a fever by using an electron microscope.
Start with the BCPs, then move to the macroanalytical. Only dip into
the microanalytical when required, and even then, do so very
selectively.
-----------------------------------
Roland Dobbins <rdobbins@arbor.net>
