[AusNOG] DDOS mitigation

Nathan Brookfield Nathan.Brookfield at simtronic.com.au
Fri May 10 18:55:07 EST 2013


Ollie,

It would be helpful if you could reply on list, no point this being left up in the air.  I know there are people on this list who represent Arbor also, It would be good to get a response to the figures mentioned?

Kindest Regards,
Nathan Brookfield (VK2NAB)

Chief Executive Officer
Simtronic Technologies Pty Ltd

Local: (02) 4749 4949 | Fax: (02) 4749 4950 | Direct: (02) 4749 4951
Web: http://www.simtronic.com.au | E-mail: nathan.brookfield at simtronic.com.au

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of oliver at prolexic.com
Sent: Friday, 10 May 2013 6:43 PM
To: James Braunegg; ausnog-bounces at lists.ausnog.net; Dobbins, Roland; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] DDOS mitigation

Hi All,

The Prolexic team in Australia are happy to answer any questions off list.

Feel free to channel queries through myself (oliver at prolexic.com).

Thanks & have a good weekend.

Cheers

Ollie
Sent from my BlackBerry® smartphone on 3

-----Original Message-----
From: James Braunegg <james.braunegg at micron21.com>
Sender: ausnog-bounces at lists.ausnog.net
Date: Fri, 10 May 2013 07:32:53 
To: Dobbins, Roland<rdobbins at arbor.net>; ausnog at lists.ausnog.net<ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] DDOS mitigation

Dear Roland

I've been doing a bit of research on DDoS attacks lately and have been looking at information presented by both Arbor and Prolexic

Prolexic says Q1 2013 the average attack from last quarter has increased from 5.9Gbps to 48.25Gbps with an average packet per second rate of 32.4 million packets.

Arbor says the average attack during 2013 Q1 was about 1.77 Gbps, up from about 1.48 Gbps in 2012 and this took into consideration the large Spamhaus DDoS attack

What's your take on the massive difference between the averages ? does Prolexic see larger attacks because they protect larger networks ? or do they have less customers thus hence have a larger average ? one thing which isn't shown is how big the sample pool data is... or is someone cooking the books to put fear into network operators ?

In a recent attack we saw sustained layer 7 attacks for over 24 hours , followed by a 1gbit attack lasting several hours and then short 10 minute attacks ranging from 2.5gbit to 17+gbit - graphs from the attacks can be found here if anyone is interested - http://www.micron21.com/ddos

Kindest Regards


James Braunegg
W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com  |  ABN:  12 109 977 666   



This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Dobbins, Roland
Sent: Friday, May 10, 2013 7:07 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] DDOS mitigation


On May 9, 2013, at 11:11 PM, David Miller wrote:

> +1  No transit providers provide S/RTBH to customers for the reasons pointed out above and in the RFC.  Perhaps very few transit providers
> offer it to customers, I've never seen it.  I would be greatly concerned by any provider that did offer it to any customer other than me.

My point in bringing up S/RTBH was to note that one isn't limited to 'destroying the village in order to save it' via D/RTBH, and that there are in fact creative ways that operators can more safely provide their downstream customers with S/RTBH capability, such as a dual-advertisement strategy which a) triggers diversion of traffic destined to the attack targets into a mitigation center and b) denotes the attack source(s) to be dropped on the mitigation center coreward interfaces, thus only dropping traffic emanating from said attack sources and destined for attack targets whose traffic is being diverted through the mitigation center gateways.

> What we should ALL be shouting at router vendors and transit providers to support is Flowspec - RFC 5575 ( http://www.ietf.org/rfc/rfc5575.txt ).

Yes, absolutely; it should be included in all router and layer-3 switch RFPs as a hard requirement.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list