Part of the reason DDoS mitigation advice doesn't have a whole lot of
concretes is because it really depends on your own traffic and
secondarily on your attacker - so summarizing them all becomes
problematic. DDoS Mitigation stems from the theoretical question of "How
do you only allow 'good' traffic to make it through?" which means a lot
about knowing what is "good" traffic so that you don't over mitigate it.
Practically, the question usually ends up being "How much do we need to
spend so that we can or could head off a determine/resourced attacker?"
Basically, makes it a whitelist/blacklist approach crossed with . With
that said...
Based on the broad swipe of "sites", I'm going to assume that that means
HTTP/HTTPS based site, and highly recommend you go the way of a CDN
provider (based on "it's one of the things we do"). Even if you don't
use any caching, it'll stave off volumetric bandwidth attacks and most
have some form of L7 scrubbing. "Nobody got fired for going with Akamai"
but I'll also pitch CloudFlare (I work for none of the above). Doing a
lot of others will lead to an arms race if you've got a
determined/resourceful attacker. If you don't, it might make sense to do
something as "small" as applying border ACLs to stop the majority of
reflection attacks against you; or to drop certain regions of traffic
that you don't do business with if that applies. Again "it depends..."
For the specific, what are others doing... We're using a combination of
L7 reverse proxy provider (aka CDN), a L3/L4 traffic scrubber service,
internal IPS (acting as L3/L4 traffic scrubbers), stateless border ACLs
(letting in only potential good traffic), internal and external L7
traffic scrubbers (Web Application Firewalls), and a whole variety of
home grown traffic analyzers/scrubbers inside of load balancers and
application tier - as we've seen attacks that can get around any one of
the above so we've got a bunch of layers to our onion. (Can do specifics
vendors off thread if you want...)
--mac
PS And just to promote something...
https://www.usenix.org/conference/lisa15/conference-program/presentation/matheson
On 3/23/16 7:45 AM, john boris wrote:
Here at $WORK a few of our sites that use the same ISP have been targets
of DOS attacks at random times. Part of my department handles the
network to our sites and the ISPs answer has been to just change the
external IP. Which stems the tide for a bit but it will rear its head
again in a short time. The attacks continue for a time then stop then
start up again.
I have been searching the net on this topic but I have not found what I
am looking for. We are a fledgling group in this area (By way of
reorganization and decentralization) and as the Grey Beard of the group
I have taken it on the roll as the person looking for solutions.
What I am looking for is what people have done to try and stave off an
attack. I know it is a moving target but I am looking for tools that
help monitoring the traffic to alert us when the traffic gets to a
certain point, also best practices on setting up a good defense.
I have read a bunch of articles that tell me what to do but I would like
to see how its done.
Example:
1. Use this tool to monitor traffic
2. Setup the firewall this way to this if A happens , B if this IP etc.
If you want to talk offline on this it is fine. I just want to find a
better way than changing our Public IP for our ISP each time. That just
strikes me as changing my phoe number to stop crank calls.
Thanks in advance.
--
John J. Boris, Sr.
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
