If I'm reading that right, and it's serving public DNS, move that off - Dyn and Route53 have been useful. I know in the former, you can do hidden master. Haven't set that up in the latter but would be surprised if it's not possible. The assumption here is that DNS is being the beacon they're using to attack.
General rule of thumb for protection is separate different types of traffic. We've been following that rule and I'm on the service side and not the corporate side so don't have much direct there. Given the situation, I wouldn't dismiss the insider threat. I.e. Even without DNS as a beacon, someone is getting the IP from the inside. It's easy to think about it from the juvenile attacker, but that seems not unlikely. If you've got egress web logs, I'd go looking for any searches for "what is my IP." --mac On Mar 23, 2016, at 08:46, john boris <jbori...@gmail.com<mailto:jbori...@gmail.com>> wrote: Some more information about my "quest".The sites are schools in our "district" and all of our Web sites are hosted elsewhere. The attacks are against our main gateway which acts as a DNS server as well. On Wed, Mar 23, 2016 at 11:32 AM, Chris McEniry <cmcen...@mit.edu<mailto:cmcen...@mit.edu>> wrote: Part of the reason DDoS mitigation advice doesn't have a whole lot of concretes is because it really depends on your own traffic and secondarily on your attacker - so summarizing them all becomes problematic. DDoS Mitigation stems from the theoretical question of "How do you only allow 'good' traffic to make it through?" which means a lot about knowing what is "good" traffic so that you don't over mitigate it. Practically, the question usually ends up being "How much do we need to spend so that we can or could head off a determine/resourced attacker?" Basically, makes it a whitelist/blacklist approach crossed with . With that said... Based on the broad swipe of "sites", I'm going to assume that that means HTTP/HTTPS based site, and highly recommend you go the way of a CDN provider (based on "it's one of the things we do"). Even if you don't use any caching, it'll stave off volumetric bandwidth attacks and most have some form of L7 scrubbing. "Nobody got fired for going with Akamai" but I'll also pitch CloudFlare (I work for none of the above). Doing a lot of others will lead to an arms race if you've got a determined/resourceful attacker. If you don't, it might make sense to do something as "small" as applying border ACLs to stop the majority of reflection attacks against you; or to drop certain regions of traffic that you don't do business with if that applies. Again "it depends..." For the specific, what are others doing... We're using a combination of L7 reverse proxy provider (aka CDN), a L3/L4 traffic scrubber service, internal IPS (acting as L3/L4 traffic scrubbers), stateless border ACLs (letting in only potential good traffic), internal and external L7 traffic scrubbers (Web Application Firewalls), and a whole variety of home grown traffic analyzers/scrubbers inside of load balancers and application tier - as we've seen attacks that can get around any one of the above so we've got a bunch of layers to our onion. (Can do specifics vendors off thread if you want...) --mac PS And just to promote something... https://www.usenix.org/conference/lisa15/conference-program/presentation/matheson On 3/23/16 7:45 AM, john boris wrote: Here at $WORK a few of our sites that use the same ISP have been targets of DOS attacks at random times. Part of my department handles the network to our sites and the ISPs answer has been to just change the external IP. Which stems the tide for a bit but it will rear its head again in a short time. The attacks continue for a time then stop then start up again. I have been searching the net on this topic but I have not found what I am looking for. We are a fledgling group in this area (By way of reorganization and decentralization) and as the Grey Beard of the group I have taken it on the roll as the person looking for solutions. What I am looking for is what people have done to try and stave off an attack. I know it is a moving target but I am looking for tools that help monitoring the traffic to alert us when the traffic gets to a certain point, also best practices on setting up a good defense. I have read a bunch of articles that tell me what to do but I would like to see how its done. Example: 1. Use this tool to monitor traffic 2. Setup the firewall this way to this if A happens , B if this IP etc. If you want to talk offline on this it is fine. I just want to find a better way than changing our Public IP for our ISP each time. That just strikes me as changing my phoe number to stop crank calls. Thanks in advance. -- John J. Boris, Sr. _______________________________________________ Tech mailing list Tech@lists.lopsa.org<mailto:Tech@lists.lopsa.org> https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/ _______________________________________________ Tech mailing list Tech@lists.lopsa.org<mailto:Tech@lists.lopsa.org> https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/ -- John J. Boris, Sr.
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
