[80702] in North American Network Operators' Group
Re: DOS attack tracing
daemon@ATHENA.MIT.EDU (Gadi Evron)
Tue May 10 08:09:27 2005
Date: Tue, 10 May 2005 15:07:19 +0300
From: Gadi Evron <gadi@tehila.gov.il>
To: "Hannigan, Martin" <hannigan@verisign.com>
Cc: Kim Onnel <karim.adel@gmail.com>,
Scott Weeks <surfer@mauigateway.com>, nanog@merit.edu
In-Reply-To: <A206819EF47CBE4F84B5CB4A303CEB7A5212CB@dul1wnexmb01.vcorp.ad.vrsn.com>
Errors-To: owner-nanog@merit.edu
Hannigan, Martin wrote:
>
Well, this is no longer about tracing DDoS I suppose..
> Good advice when DDOS' are constant. If this was a first and possibly
> last for awhile, it may make sense to rely on the software tools
> and a good 'SOP' with the provider instead. It really depends on
> the scope of the problem in particular.
>
> DDOS' is rather infrequent to zero for most enterprises. That DDOS
> golden banana is rather yummy with sprinkles on top. Don't get me wrong,
> the DDOS problem is real, but not for everyone, and not as frequently as
> it's being hyped up to be. A managed service is a better way
> to go if they're worried, IMO.
Two things, planning for disaster and mitigation on-going DDoS attacks.
Planning...
Sound advice, but I'd phrase it a little differently.
All depending on how big they are, how much they have to invest, how
worried they are and how much they stand to lose by such an attack,
short or prolonged (which after their last experience they should be
able to answer), they are more than capable to decide how much they want
to invest.
If they are generally concerned but not truly able to pay so much for
an.. infrequent serious risk, they can indeed get better (more
organized) relations with their uplink, as well as perhaps check if
their uplink can use their own.. say Cisco Guard for them or whatever
other mitigation service they can offer. That or get a better uplink.
They could combine tactics, such as for example get the Guard but direct
it using netflow data rather than the Detector.
It all depends on how much they are willing to invest - but knowing what
they need is entirely up to them and after such an attack I bet they
have a fairly good idea.
Mitigating...
As to the infrequency of the attacks, it really depends on who you ask.
We (at Tehila) get attacked quite often, and we see others get attacked
quite often. Others yet, get attacked on such a scale once a year or so.
How much do you stand to lose from just ONE devastating attack?
Underplaying DDoS though is something I do not agree with you on,
though. The scale of the problem is much bigger than most believe.
Unrelated to my own experience and that of my employer, at the drone
armies research and mitigation mailing list we have been able to
actively mitigate DDoS attacks in real time, what we need is a log of
the attacking IP's with timestamps and we do our best to help.
In our last success we mitigated a 400 mega packets attack into just
about 20, crippling the ability of the attacker to strike for a few
weeks. After his second attempt he never went back to that target again
(so far, anyway).
Gadi.