[AusNOG] DDoS attack sizes

Luca Salvatore luca at digitalocean.com
Wed Feb 10 01:57:37 EST 2016


Be great to see ISPs start to support flowspec... Is Vocus working on that?

On Mon, Feb 8, 2016 at 8:24 PM, Paul Baker <paul.baker at vocus.com.au> wrote:

> Hi Nick,
>
> Just wanted to throw in my observations as well. We see a huge range of
> attack sizes come through our network, typical SYN flood attacks are just a
> few hundred Mbps, but as other have suggested, far to often, attacks (other
> than SYN) are multiple Gbps - too big for the typical SP to absorb by
> throwing extra bandwidth at the problem. We see attacks >10-20Gbps every
> day, largest we've seen in recent times is 80Gbps.
>
> If you're lucky enough to not suffer DDoS attacks too regularly, and you
> are able to accept cutting off one IP address while it's under attack, then
> RTBH is the easiest, cheapest solution to ensure that a Volumetric DDoS
> attack isn't able to take down your network. Even if you deploy on site
> DDoS mitigation equipment you won't be protected from volumetric attacks.
> You will only be able to handle attacks up to the size of your Internet
> links. Most ISP's should support RTBH. Hopefully we'll start to see them
> support BGP FlowSpec eventually.
>
> If null routing/RTBH is not an option (as you have implied), the best
> solution would be a combination of cloud based DDoS mitigation to eliminate
> volumetric attacks,  with hardening the network edge using ACLs (you'd be
> surprised the number of attacks that target UDP port 80 that can easily be
> eliminated using an ACL) and selectively policing traffic towards network
> infrastructure, optional dedicated on-site DDoS appliances, and protection
> for server infrastructure by traditional firewalls or WAF.
>
> Full disclosure: These are just my general observations/recommendations,
> but I do work for Vocus Communications who do have DDoS products.
>
> Regards
>
> Paul Baker | Network Architect
> Vocus Communications
>
>
> On 8/02/2016 4:42 PM, Nick Evendor wrote:
>
> Yesterday we experienced an 850 megabit DDoS attack towards a hosting
> customer which almost filled our gigabit uplink and made our upstream
> provider call me on a Sunday due to abnormal traffic on our port.
>
> Thank god it was Sunday so our network was underutilized with no
> collateral damage and everything remained working, but I asked the upstream
> provider what we can do about it other than null routing the destination
> and they said purchase more capacity.
>
> In the past we have seen a few attacks but they have only been a few
> hundred megabits and never come close to saturating our gigabit uplink.
>
> What size attacks are people seeing and is it time to over purchase
> bandwidth and move to a ten gigabit service.
>
> Nick
>
>
>
> _______________________________________________
> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>


-- 
Luca Salvatore
Manager, Network Team | DigitalOcean
Phone: +1 (929) 214-7242
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160209/01a49b76/attachment.html>


More information about the AusNOG mailing list