[AusNOG] DDoS Attacks - Painful and Persistent.
Roland Dobbins
rdobbins at arbor.net
Mon Aug 10 15:22:04 EST 2009
On Aug 10, 2009, at 12:08 PM, Nick Brown wrote:
> I'm interested to hear if anyone here has been in the situation
> previously, and how you handled it
Have you implemented S/RTBH at your edges? If so, you can blackhole
based upon source addresses, not just destinations.
Have you implemented NetFlow export into an appropriate analysis
toolset, so as to provide detection/classification/traceback
visibility (full disclosure; I work for a vendor which produces
commercial NetFlow analysis tools, but note that there are several
open-source tools available)?
Do you have communication paths and relationships established with the
relevant folks at your peers/upstreams/downstreams/end-customers so
that you can reach out to them in order to get them to filter within
their networks?
Have you scaled and functionally bulkheaded your DNS infrastructure?
Have you implemented reverse proxy-caches in front of all Web-based
properties?
Have you implemented tcpwrappers, mod_evasive, mod_security?
Have you implemented an intelligent DDoS mitigation system, or IDMS
(full disclosure; I work for a vendor which makes such systems).
Have you joined the relevant opsec mitigation communities which allow
providers to collaborate in handling security events such as DDoS
attacks?
Can you provide details of the attack traffic/methodologies? This
will help folks to provide more situationally-specific advice.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
More information about the AusNOG
mailing list