[AusNOG] DDoS Attacks - Painful and Persistent.

Nick Brown nick at inticon.net.au
Mon Aug 10 16:31:01 EST 2009


Unfortunately not, nor can we identify any characteristics or trends in 
traffic to our downstreams that would suggest we are taking the beating 
on their behalf.

We have not been contacted by any party taking claim or asking for 
anything in exchange for a stop in the malicious traffic. We have not at 
any point in time knowingly annoyed another network or party.

We are not aware of any gaming customers / clans or service providers, 
nor IRC bots immediatly downstream that we can identify, nor have we 
seen outbound traffic to suggest there is (Other then usual traffic that 
you would expect to see leaving a DSL network).



Matt Shadbolt wrote:
> Have you established WHY your the target of the DDoS's?
>
> matt
>
> On Mon, Aug 10, 2009 at 3:22 PM, Roland Dobbins <rdobbins at arbor.net 
> <mailto:rdobbins at arbor.net>> wrote:
>
>
>     On Aug 10, 2009, at 12:08 PM, Nick Brown wrote:
>
>     >  I'm interested to hear if anyone here has been in the situation
>     > previously, and how you handled it
>
>
>     Have you implemented S/RTBH at your edges?  If so, you can blackhole
>     based upon source addresses, not just destinations.
>
>     Have you implemented NetFlow export into an appropriate analysis
>     toolset, so as to provide detection/classification/traceback
>     visibility (full disclosure; I work for a vendor which produces
>     commercial NetFlow analysis tools, but note that there are several
>     open-source tools available)?
>
>     Do you have communication paths and relationships established with the
>     relevant folks at your peers/upstreams/downstreams/end-customers so
>     that you can reach out to them in order to get them to filter within
>     their networks?
>
>     Have you scaled and functionally bulkheaded your DNS infrastructure?
>
>     Have you implemented reverse proxy-caches in front of all Web-based
>     properties?
>
>     Have you implemented tcpwrappers, mod_evasive, mod_security?
>
>     Have you implemented an intelligent DDoS mitigation system, or IDMS
>     (full disclosure; I work for a vendor which makes such systems).
>
>     Have you joined the relevant opsec mitigation communities which allow
>     providers to collaborate in handling security events such as DDoS
>     attacks?
>
>     Can you provide details of the attack traffic/methodologies?  This
>     will help folks to provide more situationally-specific advice.
>
>     -----------------------------------------------------------------------
>     Roland Dobbins <rdobbins at arbor.net <mailto:rdobbins at arbor.net>> //
>     <http://www.arbornetworks.com>
>
>             Unfortunately, inefficiency scales really well.
>
>                       -- Kevin Lawton
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>   

-- 
Inticon Pty Ltd
Direct 02 4001 0516
Mobile 0432 038 015
Web http://www.inticon.com.au



More information about the AusNOG mailing list