<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoPlainText>Dear All<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Based on Roland's experience of him saying the average attacks are not that large and Prolexic saying they are larger… I guess I come to the same conclusion I came to a few weeks ago when I was talking about this on Whirlpool that the answer is almost anyone’s guess…<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I guess the real question is to everyone reading this, what size attacks have you seen both locally and internationally ?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Have you had enough capacity to be able to absorb attacks thus collect metrics or have the attacks been larger than your capacity and hence requiring the need for S/RTBH thus losing the ability to measure the true size of the attack ?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Kindest Regards<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>James Braunegg<br></span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>W:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> 1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616</span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>E:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="mailto:james.braunegg@micron21.com"><span style='font-size:8.0pt;font-family:"Verdana","sans-serif"'>james.braunegg@micron21.com</span></a></span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'> | <b>ABN:</b> 12 109 977 666 <br><br><img border=0 width=250 height=39 id="Picture_x0020_1" src="cid:image001.jpg@01CE4DD0.43030210" alt="Description: Description: Description: Description: M21.jpg"><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'><br></span><span lang=EN-AU style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:#1F497D'>This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Oliver Kwan [mailto:oliver@prolexic.com] <br><b>Sent:</b> Friday, May 10, 2013 7:16 PM<br><b>To:</b> Nathan Brookfield<br><b>Cc:</b> James Braunegg; ausnog-bounces@lists.ausnog.net; Dobbins, Roland; ausnog@lists.ausnog.net<br><b>Subject:</b> Re: [AusNOG] DDOS mitigation<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>No worries Nathan,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>We can only comment on what we our global client base experiencing. All we can say is that attacks are getting bigger, as confirmed by Gartner here:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><a href="http://blogs.gartner.com/avivah-litan/2013/03/14/are-the-ongoing-ddos-attacks-against-u-s-banks-just-the-calm-before-the-storm/" target="_blank"><span style='color:#1155CC'>http://blogs.gartner.com/avivah-litan/2013/03/14/are-the-ongoing-ddos-attacks-against-u-s-banks-just-the-calm-before-the-storm/</span></a></span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Our research team, called PLXsert, detail attack trends against our client base every 3 months in our quarterly attack report which can be found on our website link below. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><a href="http://www.prolexic.com/knowledge-center-dos-and-ddos-attack-reports.html">http://www.prolexic.com/knowledge-center-dos-and-ddos-attack-reports.html</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>This may also be of interest:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><a href="http://www.prolexic.com/knowledge-center-video-real-attack-ddos-mitigation-process-160-gbps.html">http://www.prolexic.com/knowledge-center-video-real-attack-ddos-mitigation-process-160-gbps.html</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Hope this is of value and you are welcome to forward any questions.<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Cheers<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Ollie<o:p></o:p></p></div></div><div><div><div><div><p class=MsoNormal><br>Dear Roland<br><br>I've been doing a bit of research on DDoS attacks lately and have been looking at information presented by both Arbor and Prolexic<br><br>Prolexic says Q1 2013 the average attack from last quarter has increased from 5.9Gbps to 48.25Gbps with an average packet per second rate of 32.4 million packets.<br><br>Arbor says the average attack during 2013 Q1 was about 1.77 Gbps, up from about 1.48 Gbps in 2012 and this took into consideration the large Spamhaus DDoS attack<br><br>What's your take on the massive difference between the averages ? does Prolexic see larger attacks because they protect larger networks ? or do they have less customers thus hence have a larger average ? one thing which isn't shown is how big the sample pool data is... or is someone cooking the books to put fear into network operators ?<br><br>In a recent attack we saw sustained layer 7 attacks for over 24 hours , followed by a 1gbit attack lasting several hours and then short 10 minute attacks ranging from 2.5gbit to 17+gbit - graphs from the attacks can be found here if anyone is interested - <a href="http://www.micron21.com/ddos" target="_blank">http://www.micron21.com/ddos</a><br><br>Kindest Regards<br><br><br>James Braunegg<br>W: 1300 769 972 | M: 0488 997 207 | D: (03) 9751 7616<br>E: <a href="mailto:james.braunegg@micron21.com">james.braunegg@micron21.com</a> | ABN: <a href="tel:12%20109%20977%20666">12 109 977 666</a> <br><br><br><br>This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.<br><br><br>-----Original Message-----<br>From: <a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a> [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Dobbins, Roland<br>Sent: Friday, May 10, 2013 7:07 AM<br>To: <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>Subject: Re: [AusNOG] DDOS mitigation<br><br><br>On May 9, 2013, at 11:11 PM, David Miller wrote:<br><br>> +1 No transit providers provide S/RTBH to customers for the reasons pointed out above and in the RFC. Perhaps very few transit providers<br>> offer it to customers, I've never seen it. I would be greatly concerned by any provider that did offer it to any customer other than me.<br><br>My point in bringing up S/RTBH was to note that one isn't limited to 'destroying the village in order to save it' via D/RTBH, and that there are in fact creative ways that operators can more safely provide their downstream customers with S/RTBH capability, such as a dual-advertisement strategy which a) triggers diversion of traffic destined to the attack targets into a mitigation center and b) denotes the attack source(s) to be dropped on the mitigation center coreward interfaces, thus only dropping traffic emanating from said attack sources and destined for attack targets whose traffic is being diverted through the mitigation center gateways.<br><br>> What we should ALL be shouting at router vendors and transit providers to support is Flowspec - RFC 5575 ( <a href="http://www.ietf.org/rfc/rfc5575.txt" target="_blank">http://www.ietf.org/rfc/rfc5575.txt</a> ).<br><br>Yes, absolutely; it should be included in all router and layer-3 switch RFPs as a hard requirement.<br><br>-----------------------------------------------------------------------<br>Roland Dobbins <<a href="mailto:rdobbins@arbor.net">rdobbins@arbor.net</a>> // <<a href="http://www.arbornetworks.com" target="_blank">http://www.arbornetworks.com</a>><br><br> Luck is the residue of opportunity and design.<br><br> -- John Milton<br><br>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p></div></div></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Oliver Kwan </span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#695E4A'>| Vice President</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#595959'> of Sales - Asia</span><i><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></i></p><div><div><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><img border=0 width=200 height=75 id="_x0000_i1025" src="https://mail.google.com/mail/?ui=2&ik=63601b2a13&view=att&th=131b66de673e7669&attid=0.3&disp=inline&realattid=b7c3779b6b7015ee_0.1&zw"></span></i><i><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></i></p></div></div><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Prolexic Technologies</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> <span style='color:#695E4A'>| </span><span style='color:#595959'>DDoS Attacks End Here.</span> </span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>Inside the Prolexic SOC - <a href="http://www.youtube.com/watch?v=UP2qpqTe6PU" target="_blank">http://www.youtube.com/watch?v=UP2qpqTe6PU</a></span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial","sans-serif"'>Inside the Prolexic Portal - <a href="http://www.youtube.com/watch?v=sOZrpHmxEPM" target="_blank">http://www.youtube.com/watch?v=sOZrpHmxEPM</a></span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#990000'>m</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>: +61 430 86 33 67 (Australia)</span><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#990000'>m</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>: +852 5412 8383 (Hong Kong)</span><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:#990000'>e</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>: <a href="mailto:oliver@prolexic.com">oliver@prolexic.com</a></span><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Skype: olliekwan</span><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>LinkedIn: Oliver Kwan</span><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>MSN: <a href="mailto:oliver79@hotmail.com">oliver79@hotmail.com</a></span><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div></div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>1930 Harrison Street, Suite 403 <span style='color:#695E4A'>| </span><span style='color:#595959'>Hollywood, Florida 33020</span></span><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><a href="http://www.prolexic.com/" target="_blank"><span style='font-size:10.0pt;color:#0000CC'>www.prolexic.com</span></a><o:p></o:p></span></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt'>Privileged or/and Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email</span>.<o:p></o:p></p></div></div></div></div></body></html>