[AusNOG] DDoS attack sizes

Paul Baker Paul.Baker at vocus.com.au
Wed Feb 10 23:12:13 EST 2016


Flowspec is definitely on our to-do list, but as you may be aware that list just got a tad longer with the impending M2 merger. It's definitely a priority of ours to "help clean up the internet" as James put it earlier, by investigating technologies like this.
[http://www.vocus.com.au/wp-content/themes/vocus/images/vocusLogo2014/14rgblowres.jpg]

From: Luca Salvatore <luca at digitalocean.com<mailto:luca at digitalocean.com>>
Date: Wednesday, 10 February 2016 1:57 am
To: Paul Baker <paul.baker at vocus.com.au<mailto:paul.baker at vocus.com.au>>
Cc: List List <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
Subject: Re: [AusNOG] DDoS attack sizes

Be great to see ISPs start to support flowspec... Is Vocus working on that?

On Mon, Feb 8, 2016 at 8:24 PM, Paul Baker <paul.baker at vocus.com.au<mailto:paul.baker at vocus.com.au>> wrote:
Hi Nick,

Just wanted to throw in my observations as well. We see a huge range of attack sizes come through our network, typical SYN flood attacks are just a few hundred Mbps, but as other have suggested, far to often, attacks (other than SYN) are multiple Gbps - too big for the typical SP to absorb by throwing extra bandwidth at the problem. We see attacks >10-20Gbps every day, largest we've seen in recent times is 80Gbps.

If you're lucky enough to not suffer DDoS attacks too regularly, and you are able to accept cutting off one IP address while it's under attack, then RTBH is the easiest, cheapest solution to ensure that a Volumetric DDoS attack isn't able to take down your network. Even if you deploy on site DDoS mitigation equipment you won't be protected from volumetric attacks. You will only be able to handle attacks up to the size of your Internet links. Most ISP's should support RTBH. Hopefully we'll start to see them support BGP FlowSpec eventually.

If null routing/RTBH is not an option (as you have implied), the best solution would be a combination of cloud based DDoS mitigation to eliminate volumetric attacks,  with hardening the network edge using ACLs (you'd be surprised the number of attacks that target UDP port 80 that can easily be eliminated using an ACL) and selectively policing traffic towards network infrastructure, optional dedicated on-site DDoS appliances, and protection for server infrastructure by traditional firewalls or WAF.

Full disclosure: These are just my general observations/recommendations, but I do work for Vocus Communications who do have DDoS products.

Regards

Paul Baker | Network Architect
Vocus Communications


On 8/02/2016 4:42 PM, Nick Evendor wrote:
Yesterday we experienced an 850 megabit DDoS attack towards a hosting customer which almost filled our gigabit uplink and made our upstream provider call me on a Sunday due to abnormal traffic on our port.

Thank god it was Sunday so our network was underutilized with no collateral damage and everything remained working, but I asked the upstream provider what we can do about it other than null routing the destination and they said purchase more capacity.

In the past we have seen a few attacks but they have only been a few hundred megabits and never come close to saturating our gigabit uplink.

What size attacks are people seeing and is it time to over purchase bandwidth and move to a ten gigabit service.

Nick




_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>http://lists.ausnog.net/mailman/listinfo/ausnog


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog




--
Luca Salvatore
Manager, Network Team | DigitalOcean
Phone: +1 (929) 214-7242
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160210/65436b01/attachment-0001.html>


More information about the AusNOG mailing list