[AusNOG] DDoS attack sizes

Paul Baker paul.baker at vocus.com.au
Tue Feb 9 12:24:32 EST 2016 

Hi Nick,

Just wanted to throw in my observations as well. We see a huge range of 
attack sizes come through our network, typical SYN flood attacks are 
just a few hundred Mbps, but as other have suggested, far to often, 
attacks (other than SYN) are multiple Gbps - too big for the typical SP 
to absorb by throwing extra bandwidth at the problem. We see attacks 
 >10-20Gbps every day, largest we've seen in recent times is 80Gbps.

If you're lucky enough to not suffer DDoS attacks too regularly, and you 
are able to accept cutting off one IP address while it's under attack, 
then RTBH is the easiest, cheapest solution to ensure that a Volumetric 
DDoS attack isn't able to take down your network. Even if you deploy on 
site DDoS mitigation equipment you won't be protected from volumetric 
attacks. You will only be able to handle attacks up to the size of your 
Internet links. Most ISP's should support RTBH. Hopefully we'll start to 
see them support BGP FlowSpec eventually.

If null routing/RTBH is not an option (as you have implied), the best 
solution would be a combination of cloud based DDoS mitigation to 
eliminate volumetric attacks,  with hardening the network edge using 
ACLs (you'd be surprised the number of attacks that target UDP port 80 
that can easily be eliminated using an ACL) and selectively policing 
traffic towards network infrastructure, optional dedicated on-site DDoS 
appliances, and protection for server infrastructure by traditional 
firewalls or WAF.

Full disclosure: These are just my general observations/recommendations, 
but I do work for Vocus Communications who do have DDoS products.

Regards

Paul Baker | Network Architect
Vocus Communications

On 8/02/2016 4:42 PM, Nick Evendor wrote:
> Yesterday we experienced an 850 megabit DDoS attack towards a hosting 
> customer which almost filled our gigabit uplink and made our upstream 
> provider call me on a Sunday due to abnormal traffic on our port.
>
> Thank god it was Sunday so our network was underutilized with no 
> collateral damage and everything remained working, but I asked the 
> upstream provider what we can do about it other than null routing the 
> destination and they said purchase more capacity.
>
> In the past we have seen a few attacks but they have only been a few 
> hundred megabits and never come close to saturating our gigabit uplink.
>
> What size attacks are people seeing and is it time to over purchase 
> bandwidth and move to a ten gigabit service.
>
> Nick
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160209/15cac37d/attachment.html>

More information about the AusNOG mailing list