On Fri, Sep 23, 2016 at 10:13 PM, Jon Lewis <jle...@lewis.org> wrote:
> On Fri, 23 Sep 2016, Christopher Morrow wrote: > > On Fri, Sep 23, 2016 at 9:24 PM, Jon Lewis <jle...@lewis.org> wrote: >> >> On Fri, 23 Sep 2016, Patrick W. Gilmore wrote: >>> >>> Is CloudFlare able to filter Layer 7 these days? I was under the >>> >>>> impression CloudFlare was not able to do that. >>>> >>>> There have been a lot of rumors about this attack. Some say reflection, >>>> others say Layer 7, others say .. other stuff. If it is Layer 7, how are >>>> you going to ÿÿstep in front of the cannonÿÿ? Would you just pass >>>> through >>>> all the traffic? >>>> >>>> >>> Anycast + load balancers + high powered varnish? >>> >>> >>> notionally (because I have been paying zero attention to this) jon's >> suggesting: >> 1) setup a crapload of nginx/squid/etc configured tightly for things to >> be accessed behind them >> 2) ecmp to them across several layers (assume 32 ecmp at each layer, call >> it 4 layers get craploads of machines running) >> 3) change over the dns >> 4) profit-- >> >> eh? If you can eat the PPS, you can spray across enough tcp listeners, you >> can weed out the chaff and start filtering in the 'application'... perhaps >> also run a 'low bandwidth' version of the target site... >> >> hey look, we invented prolexic. >> > > Well...by anycast, I meant BGP anycast, spreading the "target" > geographically to a dozen or more well connected/peered origins. At that > point, your ~600G DDoS might only be around anycast and tcp? the heck you say! :) > 50G per site, and at that level, filtering the obvious crap gets much more > reasonable. Then, doing the layer 7 scrubbing of the less obvious crap is > more easily dealt with than a single site receiving 600G of attack traffic. > > sure, yes. > I haven't actually done this (specifically for DDoS mitigation)...just > speculating as to how it might easily be done given sufficient resources. > The trouble is, the attackers have virtually unlimited bandwidth, and > aren't constrained by having to pay for the bandwidth. > > sounds like you got it all sorted out... > > ---------------------------------------------------------------------- > Jon Lewis, MCP :) | I route > | therefore you are > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ >
