[AusNOG] DDOS mitigation

Matt Perkins matt at spectrum.com.au
Thu May 9 16:45:08 EST 2013


The problem with reporting through the call center is just a time based 
based one. Automatic mittigation could block it before one of our guy's 
could even pick up the phone.  It's time for the whole process no just 
the factt then have no process. If we could block it via say bgp or some 
other automatic method and then ring them to let them know say 10 
minutes later that would be fine. Waiting 10 Minutes to communicate the 
information to someone that likely will then need to pass it to someone 
else to action is 10 minutes to long.

Matt.



On 9/05/13 4:37 PM, Matt Carter wrote:
> Consider if you want to blackhole a /32 because it is under attack, with some of the bit rates seem of recent attacks, its potentially/likely affecting the upstream provider aswell and may have impact to their other customers or at least a segment of their access network.
> Presuming you have a 24x7 engineering/tier3 contact or alternate mechanism you can implement an *immediate and co-ordinated response* - is that such a bad thing????
> (For example, entering routes to be filtered via a portal of sorts that blackholes the /32 but also does other things, such as letting them know their customer is under attack.)
> Is the issue here that they do not do real-time blackholing by way of BGP , or just that they have no way of doing real-time blackholing period?
> (Just thinking, there's more than one way to skin a cat, they may use RTBL internally despite not offering customers ability to leverage it)
>
>
>> -----Original Message-----
>> From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-
>> bounces at lists.ausnog.net] On Behalf Of Matt Perkins
>> Sent: Thursday, 9 May 2013 4:11 PM
>> To: ausnog at lists.ausnog.net
>> Subject: [AusNOG] DDOS mitigation
>>
>> Gday Noggers,
>>    We are updating  out DDOS mitigation plan and along the way we have
>> ended up with a transit partner that has no system to black whole /32's at the
>> ingress. Most of our peers have a community you can advertise to black
>> whole an address but this one provider does not they want us to ring the
>> help desk and log a case when a DDOS is underway. An unacceptable  plan as
>> far as I am concerned.
>>
>> So that prompted me look at when the contract of the transit that cant black
>> whole expires and it's soon. So my question to the transit providers out
>> there. How many of you have a black whole community or some other sort
>> of DDOS mitigation strategy that can be implemented with your partners.
>>
>> The ones that do that I know of are. PIPE and Vocus, I wont name and shame
>> the have not's.
>>
>> Matt.
>>
>> --
>> /* Matt Perkins
>>           Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
>>           Office 1300 133 299     matt at spectrum.com.au
>>           Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
>>           SIP 1300137379 at sip.spectrum.com.au
>>           PGP/GNUPG Public Key can be found at  http://pgp.mit.edu */
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog


-- 
/* Matt Perkins
         Direct 1300 137 379     Spectrum Networks Ptd. Ltd.
         Office 1300 133 299     matt at spectrum.com.au
         Fax    1300 133 255     Level 6, 350 George Street Sydney 2000
         SIP 1300137379 at sip.spectrum.com.au
         PGP/GNUPG Public Key can be found at  http://pgp.mit.edu
*/




More information about the AusNOG mailing list