I've documented over 60 attacks to customers in our network in the last 22 months. Some are small, just 200 Mbps, the largest has been 2.6 Gbps. In 98% of all cases the attack is just six to eight minutes long, so by the time I respond to any alarms it's already over.
So there's one more thing you can do.
5. Increase your uplink so that the small attacks end up affecting only the subset of access technology that's part of the targeted customer.
Frank
-----Original Message-----
From: MICE Discuss [mailto:[log in to unmask]] On Behalf Of Richard Laager
Sent: Thursday, March 13, 2014 2:04 PM
To: [log in to unmask]
Subject: [MICE-DISCUSS] DDoS Attacks
Last night, we got hit by a ~3 Gbps DDoS attack. It's been a while since
this has happened to us, so I'd like to make sure I'm still up on the
state of the art.
Is there anything more to be done than the following?
1. Identify the victim.
2. Null route the victim.
3. Propagate the null route to your upstreams (via BGP, if
supported, otherwise a phone call to their NOC).
4. Move the victim to a new IP.
To avoid participating in at least some classes of DDoS attacks, we:
* long ago implemented uRPF (and/or similar ACLs) to block spoofed
outbound packets, as recommended by BCP 38 (RFC 2827).
* ensured our NTP servers (and any NTP servers of our customers)
are not responding to monlist queries. The openntpproject.org
website is useful here. They list vulnerable NTP servers by IP
range, or you can get all NTP servers by AS (replace YOUR_AS
with your AS, and optionally, add &csv=1) and then query with
ntpdc -n -c monlist IP:
http://openntpproject.org/searchby-asn.cgi?search_asn=YOUR_AS
* just this week started addressing customers with open DNS
resolvers, which can also be used in amplification attacks:
http://openresolverproject.org/searchby-asn.cgi?search_asn=YOUR_AS
Is there anything else we should be doing?
--
Richard
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
|