On 12/8/2010 9:52 AM, Dobbins, Roland wrote:
On Dec 8, 2010, at 10:47 PM, Arturo Servin wrote:
But even for simple flood attacks, I still think that the target has
very few defence mechanisms, and those that exists require a complex
coordination with upstreams.
This is demonstrably incorrect.
+1
For IPs that don't matter, automated /32 blackholes are usually
supported by most providers. For critical infrastructure, I've not had a
problem with the security/abuse/noc departments working with me to
resolve the issue.
The first step to DOS mitigation is being able to shut down the attack
vector. If they hit an IP, shut it down, let the 50 other distributed
systems take care of it.
It's all a matter of perspective, and it has to be handled on a case by
case basis. I had a dialup modem bank IP get DOS's due to a customer off
it. Well, the modem bank itself doesn't need to talk to the outside
world (outside of traceroutes), so a quick blackhole of it stopped the
DDOS (which was a small 300mb/s).
I've talked with several providers who will gladly redirect a subset of
IP's through their high end filters, so in event of DOS, I can drop that
/24 down to 1 transit peer, have them redirect it through their filter
servers, and get clean traffic back to my network.
Jack
