[71647] in North American Network Operators' Group
Re: real-time DDoS help?
daemon@ATHENA.MIT.EDU (Mike Lewinski)
Sat Jun 19 23:08:18 2004
Date: Sat, 19 Jun 2004 21:07:30 -0600
From: Mike Lewinski <mike@rockynet.com>
To: nanog@merit.edu
In-Reply-To: <20040619220032.V42597@shell.inch.com>
Errors-To: owner-nanog-outgoing@merit.edu
Charles Sprickman wrote:
> Is there any place where people with experience dealing with DDoS attacks
> hang out? I'm getting very little assistance from my upstream beyond
> "call whomever is in charge of each IP attacking and make them stop", and
> "even though we null route the destination IP being attacked, this traffic
> will be billed".
While I hate the "blame the victim" mentality in general, I'd guess that
up to half of all the packet floods we've experienced were aimed at
compromised client boxes that were hosting illegitimate services. If
your victim has no idea why they're being attacked, I'd scrutinize the
target host very carefully.
Or if your victim is a shell host who's probably got some skript kiddie
engaged in channel wars, it will likely save you a lot of time and grief
to just dump that client. Is losing one worth sacrificing the rest?
Unless you know exactly why you're being attacked and are willing to
suffer these consequences indefinitely, you will do yourself a big favor
by looking at the victim to see why the attack is occurring and removing
the target from your network.
