And those are much more complex to detect than SYN attacks or simple flood attacks with ICMP.
But even for simple flood attacks, I still think that the target has very few defence mechanisms, and those that exists require a complex coordination with upstreams. Cheers, .as On 8 Dec 2010, at 13:39, Jeffrey Lyon wrote: > We have seen a recent trend of attackers "legitimately" purchasing > servers to use for attacks. They'll setup a front company, attempt to > make the traffic look legitimate, and then launch attacks from their > "legitimate" botnet. > > Jeff > > On Wed, Dec 8, 2010 at 10:33 AM, Arturo Servin <arturo.ser...@gmail.com> > wrote: >> >> On 8 Dec 2010, at 13:12, nanog-requ...@nanog.org wrote: >> >>> Date: Wed, 8 Dec 2010 12:53:51 +0000 >>> From: "Dobbins, Roland" <rdobb...@arbor.net> >>> Subject: Re: Over a decade of DDOS--any progress yet? >>> To: North American Operators' Group <nanog@nanog.org> >>> Message-ID: <bf571ad7-1122-407b-b7fa-77b9bbac4...@arbor.net> >>> Content-Type: text/plain; charset="us-ascii" >>> >>> >>> On Dec 8, 2010, at 7:28 PM, Arturo Servin wrote: >>> >>>> One big problem (IMHO) of DDoS is that sources (the host of botnets) >>>> may be completely unaware that they are part of a DDoS. I do not mean the >>>> bot machine, I mean the ISP connecting those. >>> >>> The technology exists to detect and classify this attack traffic, and is >>> deployed in production networks today. >> >> Yes, they do exist. But, is people really filtering out attacks or >> just watching the attacks going out? >> >> >>> >>> And of course, the legitimate owners of the botted hosts are generally >>> unaware that their machine is being used for nefarious purposes. >>> >>>> In the other hand the target of a DDoS cannot do anything to stop to >>>> attack besides adding more BW or contacting one by one the whole path of >>>> providers to try to minimize the effect. >>> >>> Actually, there're lots of things they can do. >> >> Yes, but all of them rely on your upstreams or in mirroring your >> content. If 100 Mbps are reaching your input interface of 10Mbps there is >> not much that you can do. >> >>> >>>> I know that this has many security concerns, but would it be good a >>>> signalling protocol between ISPs to inform the sources of a DDoS attack in >>>> order to take semiautomatic actions to rate-limit the traffic as close as >>>> the source? Of course that this is more complex that these three or two >>>> lines, but I wonder if this has been considerer in the past. >>> >>> It already exists. >> >> If you have an URL would be good. I only found a few research papers >> on the topic and RSVP documents but nothing really concrete. >> >> Regards, >> -as > > > > -- > Jeffrey Lyon, Leadership Team > jeffrey.l...@blacklotus.net | http://www.blacklotus.net > Black Lotus Communications - AS32421 > First and Leading in DDoS Protection Solutions