On 30 Jul 2015, at 2:38, alvin nanog wrote:
there is no need to pay people to attack your servers ...
Unless you don't have the expertise to do it yourself. Again, I
advocate an organic defense capability and an organic testing
capability, but there are many organizations which unfortunately don't
have these, and they must start somewhere.
- tcpdump and wireshark will tell you everything the attackers are
doing to your network right now that needs to be defended against
On small, single-homed networks, sure. On networks of any size, this
doesn't scale.
Flow telemetry scales.
if a mid-level wanna be attacker wants to target your servers, they're
just as equally easy to mitigate and prevent and probably sending you
100,000 "ddos packets" per second because they can ( bigger zombie
network :-)
100kpps is nothing. Of course, so many servers/services are so brittle,
fragile, and non-scalable that most DDoS attacks are overkill by orders
of magnitude.
if you are being targeted by "masters of deception" you have no
solution
other than get local law enforcement involved to track down the
originating
attackers
I'm not sure who or what 'masters of deception' are in this context, but
attribution has nothing to do with DDoS defense.
Defending against serious attackers with lots of resources is taking
place every minute of every hour of every day. There are many
techniques and tools available, most of which have been discussed
multiple times on this list over the years. Here's one such example:
<http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>
all ddos mitigations is almost 100% guaranteed to fail a volumetric
DDoS attacks ....
This is incorrect.
the DDoS attackrs probably have access to a bigger zombie
network than most major corp ...
This is true, in many cases - and is also not an issue for
properly-provisioned, coordinated DDoS defense mechanisms and
methodologies.
the attackers job is not to get caught and
is not ez to be hiding if law enforcement wanted to catch them :-)
Again, attribution is a completely separate issue.
nping "send 100,000 packets/sec" x 65,000byte/packet 192.168.0.0/16
FYI, 'line-rate' for 64-byte packets at 10gb/sec is ~14.8mpps.
by the same premise, if i had to pick ONE ddos mitigation strategy,
i'd
tarpit all incoming TCP-based ddos attacks which should crash the
attacking zombie server under sustained tcp-based ddos attacks
There is no one tactic (this is not a strategy) which can be picked, as
any kind of traffic can be used for DDoS attacks. With regards to
TCP-based attacks, it's a subset of those which are connection-oriented
and are thus susceptible to tarpitting-type techniques.
-----------------------------------
Roland Dobbins <rdobb...@arbor.net>
