[AusNOG] DDOS mitigation

James Braunegg james.braunegg at micron21.com
Fri May 10 17:32:53 EST 2013


Dear Roland

I've been doing a bit of research on DDoS attacks lately and have been looking at information presented by both Arbor and Prolexic

Prolexic says Q1 2013 the average attack from last quarter has increased from 5.9Gbps to 48.25Gbps with an average packet per second rate of 32.4 million packets.

Arbor says the average attack during 2013 Q1 was about 1.77 Gbps, up from about 1.48 Gbps in 2012 and this took into consideration the large Spamhaus DDoS attack

What's your take on the massive difference between the averages ? does Prolexic see larger attacks because they protect larger networks ? or do they have less customers thus hence have a larger average ? one thing which isn't shown is how big the sample pool data is... or is someone cooking the books to put fear into network operators ?

In a recent attack we saw sustained layer 7 attacks for over 24 hours , followed by a 1gbit attack lasting several hours and then short 10 minute attacks ranging from 2.5gbit to 17+gbit - graphs from the attacks can be found here if anyone is interested - http://www.micron21.com/ddos

Kindest Regards


James Braunegg
W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com  |  ABN:  12 109 977 666   



This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Dobbins, Roland
Sent: Friday, May 10, 2013 7:07 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] DDOS mitigation


On May 9, 2013, at 11:11 PM, David Miller wrote:

> +1  No transit providers provide S/RTBH to customers for the reasons pointed out above and in the RFC.  Perhaps very few transit providers
> offer it to customers, I've never seen it.  I would be greatly concerned by any provider that did offer it to any customer other than me.

My point in bringing up S/RTBH was to note that one isn't limited to 'destroying the village in order to save it' via D/RTBH, and that there are in fact creative ways that operators can more safely provide their downstream customers with S/RTBH capability, such as a dual-advertisement strategy which a) triggers diversion of traffic destined to the attack targets into a mitigation center and b) denotes the attack source(s) to be dropped on the mitigation center coreward interfaces, thus only dropping traffic emanating from said attack sources and destined for attack targets whose traffic is being diverted through the mitigation center gateways.

> What we should ALL be shouting at router vendors and transit providers to support is Flowspec - RFC 5575 ( http://www.ietf.org/rfc/rfc5575.txt ).

Yes, absolutely; it should be included in all router and layer-3 switch RFPs as a hard requirement.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list