[AusNOG] DDOS mitigation

James Braunegg james.braunegg at micron21.com
Fri May 10 22:51:40 EST 2013


Dear All



Based on Roland's experience of him saying the average attacks are not that large and Prolexic saying they are larger...  I guess I come to the same conclusion I came to a few weeks ago when I was talking about this on Whirlpool that the answer is almost anyone's guess...



I guess the real question is to everyone reading this, what size attacks have you seen both locally and internationally ?



Have you had enough capacity to be able to absorb attacks thus collect metrics or have the attacks been larger than your capacity and hence requiring the need for S/RTBH thus losing the ability to measure the true size of the attack ?



Kindest Regards

James Braunegg
W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com<mailto:james.braunegg at micron21.com>  |  ABN:  12 109 977 666

[Description: Description: Description: Description: M21.jpg]

This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.

From: Oliver Kwan [mailto:oliver at prolexic.com]
Sent: Friday, May 10, 2013 7:16 PM
To: Nathan Brookfield
Cc: James Braunegg; ausnog-bounces at lists.ausnog.net; Dobbins, Roland; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] DDOS mitigation

No worries Nathan,

We can only comment on what we our global client base experiencing. All we can say is that attacks are getting bigger, as confirmed by Gartner here:

http://blogs.gartner.com/avivah-litan/2013/03/14/are-the-ongoing-ddos-attacks-against-u-s-banks-just-the-calm-before-the-storm/

Our research team, called PLXsert, detail attack trends against our client base every 3 months in our quarterly attack report which can be found on our website link below.

http://www.prolexic.com/knowledge-center-dos-and-ddos-attack-reports.html

This may also be of interest:

http://www.prolexic.com/knowledge-center-video-real-attack-ddos-mitigation-process-160-gbps.html

Hope this is of value and you are welcome to forward any questions.

Cheers

Ollie

Dear Roland

I've been doing a bit of research on DDoS attacks lately and have been looking at information presented by both Arbor and Prolexic

Prolexic says Q1 2013 the average attack from last quarter has increased from 5.9Gbps to 48.25Gbps with an average packet per second rate of 32.4 million packets.

Arbor says the average attack during 2013 Q1 was about 1.77 Gbps, up from about 1.48 Gbps in 2012 and this took into consideration the large Spamhaus DDoS attack

What's your take on the massive difference between the averages ? does Prolexic see larger attacks because they protect larger networks ? or do they have less customers thus hence have a larger average ? one thing which isn't shown is how big the sample pool data is... or is someone cooking the books to put fear into network operators ?

In a recent attack we saw sustained layer 7 attacks for over 24 hours , followed by a 1gbit attack lasting several hours and then short 10 minute attacks ranging from 2.5gbit to 17+gbit - graphs from the attacks can be found here if anyone is interested - http://www.micron21.com/ddos

Kindest Regards


James Braunegg
W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com<mailto:james.braunegg at micron21.com>  |  ABN:  12 109 977 666<tel:12%20109%20977%20666>



This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net> [mailto:ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>] On Behalf Of Dobbins, Roland
Sent: Friday, May 10, 2013 7:07 AM
To: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] DDOS mitigation


On May 9, 2013, at 11:11 PM, David Miller wrote:

> +1  No transit providers provide S/RTBH to customers for the reasons pointed out above and in the RFC.  Perhaps very few transit providers
> offer it to customers, I've never seen it.  I would be greatly concerned by any provider that did offer it to any customer other than me.

My point in bringing up S/RTBH was to note that one isn't limited to 'destroying the village in order to save it' via D/RTBH, and that there are in fact creative ways that operators can more safely provide their downstream customers with S/RTBH capability, such as a dual-advertisement strategy which a) triggers diversion of traffic destined to the attack targets into a mitigation center and b) denotes the attack source(s) to be dropped on the mitigation center coreward interfaces, thus only dropping traffic emanating from said attack sources and destined for attack targets whose traffic is being diverted through the mitigation center gateways.

> What we should ALL be shouting at router vendors and transit providers to support is Flowspec - RFC 5575 ( http://www.ietf.org/rfc/rfc5575.txt ).

Yes, absolutely; it should be included in all router and layer-3 switch RFPs as a hard requirement.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net<mailto:rdobbins at arbor.net>> // <http://www.arbornetworks.com>

          Luck is the residue of opportunity and design.

                       -- John Milton

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog



--
Oliver Kwan | Vice President of Sales - Asia
[https://mail.google.com/mail/?ui=2&ik=63601b2a13&view=att&th=131b66de673e7669&attid=0.3&disp=inline&realattid=b7c3779b6b7015ee_0.1&zw]
Prolexic Technologies | DDoS Attacks End Here.

Inside the Prolexic SOC - http://www.youtube.com/watch?v=UP2qpqTe6PU

Inside the Prolexic Portal - http://www.youtube.com/watch?v=sOZrpHmxEPM

m: +61 430 86 33 67 (Australia)
m: +852 5412 8383 (Hong Kong)
e: oliver at prolexic.com<mailto:oliver at prolexic.com>

Skype: olliekwan
LinkedIn: Oliver Kwan
MSN: oliver79 at hotmail.com<mailto:oliver79 at hotmail.com>

1930 Harrison Street, Suite 403 | Hollywood, Florida 33020

www.prolexic.com<http://www.prolexic.com/>

Privileged or/and Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130510/1808bd16/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2683 bytes
Desc: image001.jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130510/1808bd16/attachment.jpg>


More information about the AusNOG mailing list