And those are much more complex to detect than SYN attacks or simple 
flood attacks with ICMP.

        But even for simple flood attacks, I still think that the target has 
very few defence mechanisms, and those that exists require a complex 
coordination with upstreams.

Cheers,
.as

On 8 Dec 2010, at 13:39, Jeffrey Lyon wrote:

> We have seen a recent trend of attackers "legitimately" purchasing
> servers to use for attacks. They'll setup a front company, attempt to
> make the traffic look legitimate, and then launch attacks from their
> "legitimate" botnet.
> 
> Jeff
> 
> On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin <arturo.ser...@gmail.com> 
> wrote:
>> 
>> On 8 Dec 2010, at 13:12, nanog-requ...@nanog.org wrote:
>> 
>>> Date: Wed, 8 Dec 2010 12:53:51 +0000
>>> From: "Dobbins, Roland" <rdobb...@arbor.net>
>>> Subject: Re: Over a decade of DDOS--any progress yet?
>>> To: North American Operators' Group <nanog@nanog.org>
>>> Message-ID: <bf571ad7-1122-407b-b7fa-77b9bbac4...@arbor.net>
>>> Content-Type: text/plain; charset="us-ascii"
>>> 
>>> 
>>> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote:
>>> 
>>>>      One big problem (IMHO) of DDoS is that sources (the host of botnets) 
>>>> may be completely unaware that they are part of a DDoS. I do not mean the 
>>>> bot machine, I mean the ISP connecting those.
>>> 
>>> The technology exists to detect and classify this attack traffic, and is 
>>> deployed in production networks today.
>> 
>>        Yes, they do exist. But, is people really filtering out attacks or 
>> just watching the attacks going out?
>> 
>> 
>>> 
>>> And of course, the legitimate owners of the botted hosts are generally 
>>> unaware that their machine is being used for nefarious purposes.
>>> 
>>>>      In the other hand the target of a DDoS cannot do anything to stop to 
>>>> attack besides adding more BW or contacting one by one the whole path of 
>>>> providers to try to minimize the effect.
>>> 
>>> Actually, there're lots of things they can do.
>> 
>>        Yes, but all of them rely on your upstreams or in mirroring your 
>> content. If 100 Mbps are reaching your input interface of 10Mbps there is 
>> not much that you can do.
>> 
>>> 
>>>>      I know that this has many security concerns, but would it be good a 
>>>> signalling protocol between ISPs to inform the sources of a DDoS attack in 
>>>> order to take semiautomatic actions to rate-limit the traffic as close as 
>>>> the source? Of course that this is more complex that these three or two 
>>>> lines, but I wonder if this has been considerer in the past.
>>> 
>>> It already exists.
>> 
>>        If you have an URL would be good. I only found a few research papers 
>> on the topic and RSVP documents but nothing really concrete.
>> 
>> Regards,
>> -as
> 
> 
> 
> -- 
> Jeffrey Lyon, Leadership Team
> jeffrey.l...@blacklotus.net | http://www.blacklotus.net
> Black Lotus Communications - AS32421
> First and Leading in DDoS Protection Solutions


Reply via email to