Re: DDOS solution recommendation

" Sent: Monday, January 12, 2015 3:05:14 PM Subject: Re: DDOS solution recommendation On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross wrote: On Sun, 11 Jan 2015, Mike Hammett wrote: I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc. login attempts, web page

Re: DDOS solution recommendation

On 13 Jan 2015, at 4:51, Scott Fisher wrote: The questions should be much more narrow. "How should I mitigate an NTP reflection" or "what are common mistakes people make when mitigating attacks" are questions that more specific that all can glean from. The answers to a lot of those question

Re: DDOS solution recommendation

http://www.ics-il.com > > > > - Original Message - > > From: "Christopher Morrow" > To: "Brandon Ross" > Cc: "Mike Hammett" , "NANOG list" > Sent: Monday, January 12, 2015 3:05:14 PM > Subject: Re: DDOS solution recommend

Re: DDOS solution recommendation

Ditto - we've been seeing average attack size pushing the 40-50 Gbps mark. The "serious" attacks are much, much larger. On Sat, Jan 10, 2015 at 8:50 PM, Ammar Zuberi wrote: > I'd beg to differ on this one. The average attacks we're seeing are double > that, around the 30-40g mark. Since NTP and

Re: DDOS solution recommendation

: Monday, January 12, 2015 3:05:14 PM Subject: Re: DDOS solution recommendation On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross wrote: On Sun, 11 Jan 2015, Mike Hammett wrote: I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc. login attempts, web page hits, etc. wo

Re: DDOS solution recommendation

On 13 Jan 2015, at 4:35, Mike Hammett wrote: So the preferred alternative is to simply do nothing at all? Straw man. Nobody's said that. Quite the opposite, in point of fact. As noted previously in this thread, there's a lot of information out there about how operators deal with DDoS atta

Re: DDOS solution recommendation

o note I didn't say 'do nothing'. -chris > - Original Message - > > From: "Christopher Morrow" > To: "Brandon Ross" > Cc: "Mike Hammett" , "NANOG list" > Sent: Monday, January 12, 2015 3:05:14 PM > Subject: Re: D

Re: DDOS solution recommendation

--- na...@ics-il.net wrote: From: Mike Hammett So the preferred alternative is to simply do nothing at all? That seems fair. --- No, the answer is to find the groups that have already looked into the issues, learn what they've done and see if you can pro

Re: DDOS solution recommendation

, "NANOG list" Sent: Monday, January 12, 2015 3:05:14 PM Subject: Re: DDOS solution recommendation On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross wrote: > On Sun, 11 Jan 2015, Mike Hammett wrote: > >> I know that UDP can be spoofed, but it's not likely that the SSH, ma

Re: DDOS solution recommendation

On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross wrote: > On Sun, 11 Jan 2015, Mike Hammett wrote: > >> I know that UDP can be spoofed, but it's not likely that the SSH, mail, >> etc. login attempts, web page hits, etc. would be spoofed as they'd have to >> know the response to be of any good. > > >

Re: DDOS solution recommendation

On Sun, 11 Jan 2015, Mike Hammett wrote: I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc. login attempts, web page hits, etc. would be spoofed as they'd have to know the response to be of any good. Okay, so I'm curious. Are you saying that you do not automatically

Re: DDOS solution recommendation

'm not going to spend a bunch of time and >>>> money to make sure someone's bubble of bliss doesn't get popped. Swift, >>>> effective, cheap. Besides, you're only cut off for 30 days. If in 30 days >>>> you can prove yourself to be responsible, we can try th

Re: DDOS solution recommendation

On Sun, 11 Jan 2015 15:08:45 -0600, Mike Hammett said: > If that were to happen, it'd be for 30 days and it'd be whatever random > residential account or APNIC address that was doing it. Not really a big > loss. OK. I'll bite. When you get home today, blackhole www.google.com for your home IP

Re: DDOS solution recommendation

On Mon, 12 Jan 2015 18:06:57 +1100, Mark Andrews said: > > The ISP will very likely not see ANY traffic originating from spoofed > > IP destined to your server. > > They will see the reply traffic and will see the acks increasing etc. Assuming they think to *look* for it. 99.8% of ISPs will ge

Re: DDOS solution recommendation

On 12 Jan 2015, at 3:28, Colin Johnston wrote: > ips rules and active web source ip monitoring works well Until it doesn't: --- Roland Dobbins

Re: DDOS solution recommendation

Well, >>> that or a sufficient support request. >>> >>> Besides, if enough people did hat, the list of blackholes wouldn't be >>> huge as someone upstream already blocked them. >>> >>> >>> >>> >>> -

Re: DDOS solution recommendation

* "Roland Dobbins" > On 12 Jan 2015, at 16:19, Tore Anderson wrote: > > > I'd love to use flowspec over D/RTBH, but to me it seems like > > vapourware. > > I meant on your own infrastructure, apologies for the confusion. Right. So if I first need to accept the traffic onto my infrastructure b

Re: DDOS solution recommendation

On 12 Jan 2015, at 16:19, Tore Anderson wrote: I'd love to use flowspec over D/RTBH, but to me it seems like vapourware. I meant on your own infrastructure, apologies for the confusion. Transit providers can't offer S/RTBH to their downstreams for obvious reasons. Transit providers utiliz

Re: DDOS solution recommendation

* "Roland Dobbins" > On 11 Jan 2015, at 20:52, Ca By wrote: > > > 3. Have RTBH ready for some special case. > > S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too). But are there any transit providers that support flowspec these days? As I understand it, only GTT used to, but they sto

Re: DDOS solution recommendation

> On 12 Jan 2015, at 08:29, David Hofstee wrote: > > Hi Mike, > > About trying to hit the mail ports... It is very easy for a domain to set its > MX to a random host name. So before you block you might want to check the > To-domain in the header of the mail. Otherwise it is too easy to DoS y

RE: DDOS solution recommendation

: nanog@nanog.org Onderwerp: Re: DDOS solution recommendation Well there's going to be two sources of the attack... infested clients or machines setup for this purpose (usually in a datacenter somewhere). Enough people blackhole the attacking IPs, those IPs are eventually going to have a

Re: DDOS solution recommendation

In message <54b34a12.4000...@tnetconsulting.net>, Grant Taylor writes: > On 01/11/2015 07:42 PM, Mark Andrews wrote: > > Just because you can only identify one of the two remotes doesn't > > mean that you can't report the addresses. It is involved in the > > communication stream. > > It is very

Re: DDOS solution recommendation

On 01/11/2015 07:42 PM, Mark Andrews wrote: Just because you can only identify one of the two remotes doesn't mean that you can't report the addresses. It is involved in the communication stream. It is very difficult to make a case that the host with the spoofed IP address is attacking you wh

Re: DDOS solution recommendation

In message <54b31bbe.3000...@tnetconsulting.net>, Grant Taylor writes: > On 01/11/2015 03:22 PM, Mike Hammett wrote: > > I know that UDP can be spoofed, but it's not likely that the SSH, > > mail, etc. login attempts, web page hits, etc. would be spoofed as > > they'd have to know the response to

Re: DDOS solution recommendation

On 01/11/2015 03:22 PM, Mike Hammett wrote: I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc. login attempts, web page hits, etc. would be spoofed as they'd have to know the response to be of any good. I encourage you to investigate "Triangular Spamming". (http://www

Re: DDOS solution recommendation

On 11 Jan 2015, at 23:09, valdis.kletni...@vt.edu wrote: > Sounds like RFC1925, section 4 should be top of the list? Indeed - as well as section 8. ;> --- Roland Dobbins

Re: DDOS solution recommendation

On 11 Jan 2015, at 23:33, Mike Hammett wrote: I don't have the time to read a dozen presentations. Then just read one: Skip the screenshots entirely, if you want, and just read the textual slides at the beginning and the end. -

Re: DDOS solution recommendation

On Sun, Jan 11, 2015 at 5:07 AM, Mike Hammett wrote: > > Blackhole all of the zombie attackers and notify their abuse departments. > Sure, most of the owners of the PCs being used in these scenarios have no > idea they're being used to attack people, but I'd think that if their > network's abuse d

Re: DDOS solution recommendation

oing it. Not really a big > loss. > > > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > > > - Original Message - > > From: "Patrick W. Gilmore" > To: "NANOG list" >

Re: DDOS solution recommendation

peeringdb.com is usually quite accurate. -- Stephen On 2015-01-11 4:11 PM, Pavel Odintsov wrote: Hello! But abuse@ contacts is very-very-very hard way to contacting with ASN administrator in case of attack. Big amount of requests to #Nanog about "please contact ASN noc with me offlist" co

Re: DDOS solution recommendation

- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > > > - Original Message - > > From: "Patrick W. Gilmore" > To: "NANOG list" > Sent: Sunday, January 11, 2015 1:42:13 PM > Subject: Re: DDOS sol

Re: DDOS solution recommendation

Hello! But abuse@ contacts is very-very-very hard way to contacting with ASN administrator in case of attack. Big amount of requests to #Nanog about "please contact ASN noc with me offlist" confirms this. I'm got multiple attacks from well known ISP and I spend about 10-20 hours to contactin

Re: DDOS solution recommendation

. Gilmore" To: "NANOG list" Sent: Sunday, January 11, 2015 1:42:13 PM Subject: Re: DDOS solution recommendation I do love solutions which open larger attack surfaces than they are supposed to close. In the US, we call that "a cure worse than the disease". Send pack

Re: DDOS solution recommendation

> On Jan 11, 2015, at 05:07 , Mike Hammett wrote: > > Why does it seem like everyone is trying to "solve" this the wrong way? Because it’s what we CAN do. > > Do other networks' abuse departments just not give a shit? Blackhole all of > the zombie attackers and notify their abuse department

Re: DDOS solution recommendation

rove yourself to be responsible, we can try this again. Well, >>>> that or a sufficient support request. >>>> >>>> Besides, if enough people did hat, the list of blackholes wouldn't be >>>> huge as someone upstream already blocked them. &

Re: DDOS solution recommendation

es, if enough people did hat, the list of blackholes wouldn't be >> huge as someone upstream already blocked them. >> >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> &g

Re: DDOS solution recommendation

;Mike Hammett >Intelligent Computing Solutions >http://www.ics-il.com > > > >- Original Message - > >From: "Roland Dobbins" >To: nanog@nanog.org >Sent: Sunday, January 11, 2015 9:29:33 AM >Subject: Re: DDOS solution recommendation > >

Re: DDOS solution recommendation

On Sun, Jan 11, 2015 at 6:46 AM, Mike Hammett wrote: > You hit my honeypot IPs, blackholed for 30 days. You do a DNS request to > my non-DNS servers, blackholed for 30 days. Same goes for NTP, mail, web, > etc. You have more than say 5 bad login attempts to my mail server in 5 > minutes, blackho

Re: DDOS solution recommendation

tions http://www.ics-il.com - Original Message - From: "Roland Dobbins" To: nanog@nanog.org Sent: Sunday, January 11, 2015 9:29:33 AM Subject: Re: DDOS solution recommendation On 11 Jan 2015, at 22:21, Mike Hammett wrote: > I'm not saying what you're doi

Re: DDOS solution recommendation

On Sun, 11 Jan 2015 22:29:33 +0700, "Roland Dobbins" said: > > On 11 Jan 2015, at 22:21, Mike Hammett wrote: > > > I'm not saying what you're doing is wrong, I'm saying whatever the > > industry as a whole is doing obviously isn't working and perhaps a > > different approach is required. > > You ha

Re: DDOS solution recommendation

Hello! If you speaking about ISP "filtering" you should check your subnets and ASN here: https://radar.qrator.net I was really amazed amount of DDoS bots/amplificators in my network. On Sun, Jan 11, 2015 at 6:47 PM, Michael Hallgren wrote: > Le 11/01/2015 14:50, Patrick W. Gilmore a écrit : >>

Re: DDOS solution recommendation

Le 11/01/2015 14:50, Patrick W. Gilmore a écrit : > I agree with lots said here. > > But I've said for years (despite some people saying I am confused) that BCP38 > is the single most important thing we can do to cut DDoS. > > No spoofed source means no amplification. It also stops things like Kam

Re: DDOS solution recommendation

Le 11/01/2015 14:50, Patrick W. Gilmore a écrit : > I agree with lots said here. > > But I've said for years (despite some people saying I am confused) that BCP38 > is the single most important thing we can do to cut DDoS. > > No spoofed source means no amplification. It also stops things like Kam

Re: DDOS solution recommendation

On 11 Jan 2015, at 22:07, Job Snijders wrote: You can also consider adding CHARGEN and SSDP. People run all sorts of strange things on arbitrary ports - like VPNs, for example. It isn't that simple. --- Roland Dobbins

Re: DDOS solution recommendation

On 11 Jan 2015, at 22:21, Mike Hammett wrote: I'm not saying what you're doing is wrong, I'm saying whatever the industry as a whole is doing obviously isn't working and perhaps a different approach is required. You haven't recommended anything new, and you really need to do some reading in

Re: DDOS solution recommendation

There's the Cisco xRV too, should be decent for playing around with. On 1/12/2015 午前 12:08, Dave Bell wrote: Maybe try the Cisco CSR1000v. In the trial mode it won't give you a decent throughput, but should have all features enabled. On 11 January 2015 at 15:02, Ammar Zuberi wrote: I’m stuck

Re: DDOS solution recommendation

On Sun, Jan 11, 2015 at 6:58 AM, Roland Dobbins wrote: > > On 11 Jan 2015, at 20:52, Ca By wrote: > > 1. BCP38 protects your neighbor, do it. >> > > It's to protect yourself, as well. You should do it all the way down to > the transit customer aggregation edge, all the way down to the IDC acces

Re: DDOS solution recommendation

//www.ics-il.com - Original Message - From: "Roland Dobbins" To: nanog@nanog.org Sent: Sunday, January 11, 2015 7:51:59 AM Subject: Re: DDOS solution recommendation On 11 Jan 2015, at 20:46, Mike Hammett wrote: > Enough people blackhole the attacking IPs, those IPs

Re: DDOS solution recommendation

Maybe try the Cisco CSR1000v. In the trial mode it won't give you a decent throughput, but should have all features enabled. On 11 January 2015 at 15:02, Ammar Zuberi wrote: > I’m stuck trying to find a virtual router environment that I can play with > flowspec on. We do have some Juniper router

Re: DDOS solution recommendation

On Sun, Jan 11, 2015 at 09:58:12PM +0700, Roland Dobbins wrote: >> 2. Protect yourself by having your upstream police Police UDP to some >> baseline you are comfortable with. > > This will come back to haunt you, when the programmatically-generated > attack traffic 'crowds out' the legitimate traf

Re: DDOS solution recommendation

I’m stuck trying to find a virtual router environment that I can play with flowspec on. We do have some Juniper routers, but they are in production and I don’t think I want to touch flowspec on them just yet. Does anyone have any experience or any ideas here? Even openbgpd? > On Jan 11, 2015, a

Re: DDOS solution recommendation

On 11 Jan 2015, at 20:52, Ca By wrote: 1. BCP38 protects your neighbor, do it. It's to protect yourself, as well. You should do it all the way down to the transit customer aggregation edge, all the way down to the IDC access layer, etc. 2. Protect yourself by having your upstream polic

Re: DDOS solution recommendation

On Sun, Jan 11, 2015 at 08:46:40AM -0600, Mike Hammett wrote: > Is anyone maintaining a list of good, bad and ugly providers in terms > of how seriously they take things they should like BCP38 and community > support and whatever else that's quantifiable? This list sheds some light on antispoofin

Re: DDOS solution recommendation

ssage - From: "Patrick W. Gilmore" To: "NANOG list" Sent: Sunday, January 11, 2015 7:50:22 AM Subject: Re: DDOS solution recommendation I agree with lots said here. But I've said for years (despite some people saying I am confused) that BCP38 is the single mos

Re: DDOS solution recommendation

On 11 Jan 2015, at 20:50, Patrick W. Gilmore wrote: Push on your providers. Stop paying for transit from networks that do not filter ingress, put it in your RFPs, and reward those who do with contracts. Make it economically advantageous to fix the problem, and people will. Concur 100%. Unf

Re: DDOS solution recommendation

On Sun, Jan 11, 2015 at 5:07 AM, Mike Hammett wrote: > Why does it seem like everyone is trying to "solve" this the wrong way? > > Do other networks' abuse departments just not give a shit? Blackhole all > of the zombie attackers and notify their abuse departments. Sure, most of > the owners of t

Re: DDOS solution recommendation

On 11 Jan 2015, at 20:46, Mike Hammett wrote: Enough people blackhole the attacking IPs, those IPs are eventually going to have a very limited view of the Internet. TCAMs have limits. Not all networks practice anti-spoofing. Not all networks have any visibility whatsoever into their network

Re: DDOS solution recommendation

; > > > - > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > > > - Original Message - > > From: "Roland Dobbins" > To: nanog@nanog.org > Sent: Sunday, January 11, 2015 7:24:55 AM > Subject:

Re: DDOS solution recommendation

telligent Computing Solutions http://www.ics-il.com - Original Message - From: "Roland Dobbins" To: nanog@nanog.org Sent: Sunday, January 11, 2015 7:24:55 AM Subject: Re: DDOS solution recommendation On 11 Jan 2015, at 20:07, Mike Hammett wrote: > but I'

Re: DDOS solution recommendation

On 11 Jan 2015, at 20:07, Mike Hammett wrote: but I'd think that if their network's abuse department was notified, either they'd contact the customer about it issue or at least have on file that they were notified. Just because we think something, that doesn't make it true. ;> The way to s

Re: DDOS solution recommendation

Why does it seem like everyone is trying to "solve" this the wrong way? Do other networks' abuse departments just not give a shit? Blackhole all of the zombie attackers and notify their abuse departments. Sure, most of the owners of the PCs being used in these scenarios have no idea they're bei

Re: DDOS solution recommendation

On 11 Jan 2015, at 13:30, Ammar Zuberi wrote: I've done a lot of research into how these attacks actually work and most of them are done by kids who don't really know what they're doing. The really sad part is that in a huge of the cases we see, the attacks are hugely disproportionate - so

Re: DDOS solution recommendation

>> If you go with a cloud-based solution, be wary of their SLA. I've seen >> some claim 100% uptime (not believable) but of course no refund/credits >> for >> downtime. I have encountered where they are willing to offer 100% sla for *their* DDOS mitigation equipment in the cloud. Not for your

Re: DDOS solution recommendation

You'd notice that most people don't really know how big the attack that they're sending is. I've done a lot of research into how these attacks actually work and most of them are done by kids who don't really know what they're doing. To them an attack is something that will take their target down

Re: DDOS solution recommendation

This gives some comparison of cloud based Ddos mitigation providers. https://www.ombud.com/product/compare/prolexic-ddos-protection On Jan 10, 2015 10:50 PM, "Damian Menscher" wrote: > On Thu, Jan 8, 2015 at 9:01 AM, Manuel Marín wrote: > > > I was wondering what are are using for DDOS protectio

Re: DDOS solution recommendation

Very true. Last year's Atrato outages in NY come to mind on this one. On 1/11/2015 午後 01:51, Roland Dobbins wrote: On Jan 11, 2015, at 11:37 AM, Paul S. wrote: Obviously, concerns are different if you're an enterprise that's a DDoS magnet -- but for general service providers selling 'protec

Re: DDOS solution recommendation

Seeing a lot of SSDP too, but attacks on scales that large have been rare (at least for us). Have however seen a few 40+ ones, yeah. I suppose it all comes down to how much you actually /need/ to stand up against. For enterprises that can't afford to go down, yeah... :( On 1/11/2015 午後 01:50

Re: DDOS solution recommendation

On Jan 11, 2015, at 11:37 AM, Paul S. wrote: > Obviously, concerns are different if you're an enterprise that's a DDoS > magnet -- but for general service providers selling 'protected services,' > food for thought. Actually, bystander traffic is all-too-often affected by these very large ref

Re: DDOS solution recommendation

I'd beg to differ on this one. The average attacks we're seeing are double that, around the 30-40g mark. Since NTP and SSDP amplification began, we've been seeing all kinds of large attacks. Obviously, these can easily be blocked upstream to your network. Hibernia Networks blocks them for us.

Re: DDOS solution recommendation

While it indeed is true that attacks up to 600 gbit/s (If OVH and CloudFlare's data is to be believed) have been known to happen in the wild, it's very unlikely that you need to mitigate anything close. The average attack is usually around the 10g mark (That too barely) -- so even solutions th

Re: DDOS solution recommendation

Also how are folks testing ddos protection? What lab gear,tools,methods are you using to determine effectiveness of the mitigation. On January 8, 2015 11:01:47 AM CST, "Manuel Marín" wrote: >Nanog group > >I was wondering what are are using for DDOS protection in your >networks. We >are current

Re: DDOS solution recommendation

another option would be a service offered by https://www.neustar.biz/services/ddos-protection On Fri, Jan 9, 2015 at 10:41 AM, Pavel Odintsov wrote: > I could suggest Voxility.com because they have very good network and > can defense any protocol. > > And I can recommend qrator.net as best solu

Re: DDOS solution recommendation

I could suggest Voxility.com because they have very good network and can defense any protocol. And I can recommend qrator.net as best solution agains http/https attacks. We use they for 2 years and got only positive feedback. And if you need only ability to reroute to antiddos cloud/blackhole sp

Re: DDOS solution recommendation

BlackLotus.com looks very good, with GRE tunneling and sensible provider level pricing. -mel via cell > On Jan 8, 2015, at 9:06 AM, "Manuel Marín" wrote: > > Nanog group > > I was wondering what are are using for DDOS protection in your networks. We > are currently evaluating different optio

RE: DDOS solution recommendation

Radware DefensePro x420s is what we use. Works great and extremely fast. Just need to make sure where you install it on your network. For best results you want to make sure you get the return traffic as well into the box otherwise it won't be able to detect all attacks. -Romeo -Original Me

Re: DDOS solution recommendation

A10 http://www.a10networks.com/products/ddos_protection.php Mehmet > On Jan 8, 2015, at 9:01 AM, Manuel Marín wrote: > > Nanog group > > I was wondering what are are using for DDOS protection in your networks. We > are currently evaluating different options (Arbor, Radware, NSFocus, > RioRey