[AusNOG] DDOS mitigation

James Braunegg james.braunegg at micron21.com
Sun May 12 21:34:36 EST 2013


Dear All

I find for compromised website servers etc you can assist by using QOS to rate limit say based on matching UDP, ICMP and TCP traffic along with packet storm control to limit the number of packets coming from a particular server at the switch port level (assuming you have full layer 3 functions on your top of rack switch) allowing you to isolate the script without causing a lot of damage to your network.

I fully agree however it's always CMS type web sites which always are compromised.. we see this day in day out .. then the website owners say aren't your server secure.... !

Kindest Regards  

James Braunegg
W:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braunegg at micron21.com  |  ABN:  12 109 977 666   



This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Matt Palmer
Sent: Sunday, May 12, 2013 7:36 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] DDOS mitigation

On Sun, May 12, 2013 at 03:24:20AM +0000, Dobbins, Roland wrote:
> On May 12, 2013, at 10:13 AM, Zone Networks - Joel wrote:
> > Its all those damn Joomla/Wordpress websites that have been compromised
> > and I don't see it stopping either, since they are millions of these
> > websites that wont get patched/upgraded until its exploited.
> 
> My hope is to utilize the aforementioned insurance scheme to induce IDC
> operators to perform ongoing proactive vulnerability scanning of
> hosted/co-located/virtual servers located on their access networks, and to
> shut down end-customers who are not fully patched until they remediate
> their boxen.

It's a nice idea to be sure, but a provider with a bunch of compromised
wordpress instances is unlikely to be impacted sufficiently to need to claim
on their insurance scheme.  It's rather a lot like BCP38 -- they're a minor
annoyance to the source, because there's only a (relatively) few of them per
misbehaving ISP, but multiply that by the number of misbehaving ISPs, and
they're a damned nuisance to the destination.

- Matt

-- 
CH3_ _ _ _ _ _ _ _ _ _ _
CH3_X_X_X_X_X_X_X_X_X_X_>
    <_X_X_X_X_X_X_X_X_X_>  1,2-dimethylchickenwire
    <_X_X_X_X_X_X_X_X_X_>  	-- Michael McConnell, ASR

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list