[AusNOG] DDoS Attacks - Painful and Persistent.

John Allan lists at john.net.au
Mon Aug 10 15:24:31 EST 2009 

Nick,

Yes, I've seen sustained attacks in the realm of tens of Gbit/sec
although admittedly, not (yet) in Australia.

Blackholing remote systems is fine but when you find the source of the
attack is basically distributed or sufficiently prolific that you're
blackholing 1/3 of PI: you end up having a trade-off between squashing
the attack and providing any remote level of accessibility for
legitimate traffic.

The other risk you run is that your upstreams can't manage the traffic
themselves; and start dropping your traffic on the floor on your behalf
and without telling you as part of their "network preservation"
strategy.

Best solution in my book is to go out and buy network-embedded DDoS
mitigation or an out-of-loop solution through a third party provider.

Two of the larger IP transit providers in Aus provide network-embedded
DDoS mitigation solutions; although you won't find it on their product
list and you will have to talk to the "right people" to know about it.
There is another option that of the off-route solution.  Basically you
pay a third party to announce your traffic at particular points where
they have tonnes of bandwidth; and they scrub your traffic and only send
the clean traffic back.  One such provider has recently established an
office in Aus who is in this game as their sole business.

If you would like contacts for either of the above, let me know and I'll
send through (off-list).

Regards,

John Allan





On Mon, 2009-08-10 at 15:08 +1000, Nick Brown wrote:
> Afternoon All,
> 
> We have refrained from posting an email of this nature to the list due 
> to the general 'publicness' of it, alas I believe it is pertinent we get 
> some feedback from those who are knowledgeable in the subject.
> 
> We have been the target of a Distributed Denial of Service attack on and 
> off again for the last 3 weeks. Used to seeing your typical smaller 
> scale attacks, SYN floods and exploited boxes downstream we are not 
> typically phased by the issue, however this is attack is of significant 
> volume, and after the initial 24 hours of traffic being targeted at 
> assorted miscellaneous IP's within our network, the target has changed 
> to be directed at our own website, with the target changing to the new 
> IP once changed.
> 
> Continually we have managed to handle the situation, blackholing 
> destination IP's, throwing more capacity at the problem and dropping 
> entire prefixes - but I'm interested to hear if anyone here has been in 
> the situation previously, and how you handled it - not just from a 
> technical perspective, but a business perspective also.
> 
> We managed to go a week without seeing the traffic however it again this 
> morning started. The source is varied so attempting to block the traffic 
> on the ingress is not really achievable.
> 
> Our changes to date and the situation so far would certainly make for an 
> interesting real world discussion piece at the conference :-)
> 
> Regards,
> Nick.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list