<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Nick,<br>
<br>
Just wanted to throw in my observations as well. We see a huge range
of attack sizes come through our network, typical SYN flood attacks
are just a few hundred Mbps, but as other have suggested, far to
often, attacks (other than SYN) are multiple Gbps - too big for the
typical SP to absorb by throwing extra bandwidth at the problem. We
see attacks >10-20Gbps every day, largest we've seen in recent
times is 80Gbps. <br>
<br>
If you're lucky enough to not suffer DDoS attacks too regularly, and
you are able to accept cutting off one IP address while it's under
attack, then RTBH is the easiest, cheapest solution to ensure that a
Volumetric DDoS attack isn't able to take down your network. Even if
you deploy on site DDoS mitigation equipment you won't be protected
from volumetric attacks. You will only be able to handle attacks up
to the size of your Internet links. Most ISP's should support RTBH.
Hopefully we'll start to see them support BGP FlowSpec eventually. <br>
<br>
If null routing/RTBH is not an option (as you have implied), the
best solution would be a combination of cloud based DDoS mitigation
to eliminate volumetric attacks, with hardening the network edge
using ACLs (you'd be surprised the number of attacks that target UDP
port 80 that can easily be eliminated using an ACL) and selectively
policing traffic towards network infrastructure, optional dedicated
on-site DDoS appliances, and protection for server infrastructure by
traditional firewalls or WAF.<br>
<br>
Full disclosure: These are just my general
observations/recommendations, but I do work for Vocus Communications
who do have DDoS products.<br>
<br>
Regards<br>
<br>
Paul Baker | Network Architect<br>
Vocus Communications<br>
<br>
<div class="moz-cite-prefix">On 8/02/2016 4:42 PM, Nick Evendor
wrote:<br>
</div>
<blockquote cite="mid:BLU183-W851AE3428867415739015CB2D50@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">Yesterday we experienced an 850 megabit DDoS attack
towards a hosting customer which almost filled our gigabit
uplink and made our upstream provider call me on a Sunday due to
abnormal traffic on our port.<br>
<br>
Thank god it was Sunday so our network was underutilized with no
collateral damage and everything remained working, but I asked
the upstream provider what we can do about it other than null
routing the destination and they said purchase more capacity.<br>
<br>
In the past we have seen a few attacks but they have only been a
few hundred megabits and never come close to saturating our
gigabit uplink.<br>
<br>
What size attacks are people seeing and is it time to over
purchase bandwidth and move to a ten gigabit service.<br>
<br>
Nick<br>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</body>
</html>