[191644] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Fri Sep 23 22:42:51 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.61.1609232203430.26305@soloth.lewis.org>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Fri, 23 Sep 2016 22:42:45 -0400
To: Jon Lewis <jlewis@lewis.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Fri, Sep 23, 2016 at 10:13 PM, Jon Lewis <jlewis@lewis.org> wrote:
> On Fri, 23 Sep 2016, Christopher Morrow wrote:
>
> On Fri, Sep 23, 2016 at 9:24 PM, Jon Lewis <jlewis@lewis.org> wrote:
>>
>> On Fri, 23 Sep 2016, Patrick W. Gilmore wrote:
>>>
>>> Is CloudFlare able to filter Layer 7 these days? I was under the
>>>
>>>> impression CloudFlare was not able to do that.
>>>>
>>>> There have been a lot of rumors about this attack. Some say reflection=
,
>>>> others say Layer 7, others say .. other stuff. If it is Layer 7, how a=
re
>>>> you going to =C3=BF=C3=BFstep in front of the cannon=C3=BF=C3=BF? Woul=
d you just pass
>>>> through
>>>> all the traffic?
>>>>
>>>>
>>> Anycast + load balancers + high powered varnish?
>>>
>>>
>>> notionally (because I have been paying zero attention to this) jon's
>> suggesting:
>> 1) setup a crapload of nginx/squid/etc configured tightly for things to
>> be accessed behind them
>> 2) ecmp to them across several layers (assume 32 ecmp at each layer, ca=
ll
>> it 4 layers get craploads of machines running)
>> 3) change over the dns
>> 4) profit--
>>
>> eh? If you can eat the PPS, you can spray across enough tcp listeners, y=
ou
>> can weed out the chaff and start filtering in the 'application'... perha=
ps
>> also run a 'low bandwidth' version of the target site...
>>
>> hey look, we invented prolexic.
>>
>
> Well...by anycast, I meant BGP anycast, spreading the "target"
> geographically to a dozen or more well connected/peered origins. At that
> point, your ~600G DDoS might only be around
anycast and tcp? the heck you say! :)
> 50G per site, and at that level, filtering the obvious crap gets much mor=
e
> reasonable. Then, doing the layer 7 scrubbing of the less obvious crap i=
s
> more easily dealt with than a single site receiving 600G of attack traffi=
c.
>
>
sure, yes.
> I haven't actually done this (specifically for DDoS mitigation)...just
> speculating as to how it might easily be done given sufficient resources.
> The trouble is, the attackers have virtually unlimited bandwidth, and
> aren't constrained by having to pay for the bandwidth.
>
>
sounds like you got it all sorted out...
>
> ----------------------------------------------------------------------
> Jon Lewis, MCP :) | I route
> | therefore you are
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>
