[AusNOG] DDoS Attacks - Painful and Persistent.

[Nick Brown]

Afternoon All,

We have refrained from posting an email of this nature to the list due 
to the general 'publicness' of it, alas I believe it is pertinent we get 
some feedback from those who are knowledgeable in the subject.

We have been the target of a Distributed Denial of Service attack on and 
off again for the last 3 weeks. Used to seeing your typical smaller 
scale attacks, SYN floods and exploited boxes downstream we are not 
typically phased by the issue, however this is attack is of significant 
volume, and after the initial 24 hours of traffic being targeted at 
assorted miscellaneous IP's within our network, the target has changed 
to be directed at our own website, with the target changing to the new 
IP once changed.

Continually we have managed to handle the situation, blackholing 
destination IP's, throwing more capacity at the problem and dropping 
entire prefixes - but I'm interested to hear if anyone here has been in 
the situation previously, and how you handled it - not just from a 
technical perspective, but a business perspective also.

We managed to go a week without seeing the traffic however it again this 
morning started. The source is varied so attempting to block the traffic 
on the ingress is not really achievable.

Our changes to date and the situation so far would certainly make for an 
interesting real world discussion piece at the conference :-)

Regards,
Nick.