> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of john boris > > Here at $WORK a few of our sites that use the same ISP have been targets of > DOS attacks at random times. Part of my department handles the network to > our sites and the ISPs answer has been to just change the external IP. Which > stems the tide for a bit but it will rear its head again in a short time. The > attacks continue for a time then stop then start up again.
It depends on what type of traffic you "normally" support. Ultimately, you need some way to filter the good traffic from the bad traffic, to prevent the bad traffic from ever reaching your bottleneck (which might be the destination server, or some bottleneck in the network). In some cases, you might be effective blocking traffic at a firewall, sourced from bad IP addresses (blacklists). But I think that's usually not effective, as the source IP's are probably basically random, for any moderately skilled attacker. In some cases, you can change your IP, and then control the release of that information to valid users. For example, a SIP provider I used got DoS attacked a few years ago, and as part of their response, they changed their IP and DNS name, and required users to login to the website to get the new DNS name. This technique might also be ineffective, if the person(s) behind the attack are actually users, or somehow able to find that information (or guess it). Also, depending on whether the attackers are specifically targeting you, or if it's random, or collateral... In the worst case, you can't find any way to filter the bad traffic from the good traffic, you have to pay for expensive remediation. As an example, see here: As you may or may not know, ProtonMail was targeted by a massive DDoS, probably state-sponsored (USA, Russia, China, etc) attack that lasted weeks. It was so severe, that large parts of Switzerland were taken offline in collateral damage. They spent a bunch of money to solve it, and here's their blog post: "Guide to DDoS Protection" https://protonmail.com/blog/ddos-protection-guide/ _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
