Well there's going to be two sources of the attack... infested clients or machines setup for this purpose (usually in a datacenter somewhere). Enough people blackhole the attacking IPs, those IPs are eventually going to have a very limited view of the Internet. They may not care of it's a server in a datacenter being used to attack, but an infested home PC would care once they can't get to Google, FaceBook, Instagram, whatever.
If the attacker's abuse contact doesn't care, then just brute force of more and more of the Internet being offline to them, they'll figure it out.
You hit my honeypot IPs, blackholed for 30 days. You do a DNS request to my non-DNS servers, blackholed for 30 days. Same goes for NTP, mail, web, etc. You have more than say 5 bad login attempts to my mail server in 5 minutes, blackholed for 30 days. You're trying to access various web pages known for home router or Wordpress exploitation, blackholed for 30 days.
No point in letting troublemakers (manual or scripted) spend more time on the network than necessary. The more people (as a collective or not) that do this, the better.
But I've said for years (despite some people saying I am confused) that BCP38 is the single most important thing we can do to cut DDoS.
No spoofed source means no amplification. It also stops things like Kaminsky DNS attacks.
There is no silver bullet. Security is a series of steps ("layers" as one highly respected security professional has in his .sig). But the most important layer, the biggest bang for the buck we can do today, is eliminated spoofed source.
Push on your providers. Stop paying for transit from networks that do not filter ingress, put it in your RFPs, and reward those who do with contracts. Make it economically advantageous to fix the problem, and people will.
Not all networks have any visibility whatsoever into their network traffic.
Not all networks have security teams.
Again, it would probably be advisable to do some reading before you start telling those of us who've been working on this set of problems for the last couple of decades that it's simple, and that we don't know what we're doing.
Why does it seem like everyone is trying to "solve" this the wrong way?
Do other networks' abuse departments just not give a shit? Blackhole all
of the zombie attackers and notify their abuse departments. Sure, most of
the owners of the PCs being used in these scenarios have no idea they're
being used to attack people, but I'd think that if their network's abuse
department was notified, either they'd contact the customer about it issue
or at least have on file that they were notified. When the unknowing
end-user reached out to support over larger and larger parts of the
Internet not working, they'd be told to clean up their system.
The way to stop this stuff is for those millions of end users to clean up
their infected PCs.
1. BCP38 protects your neighbor, do it.
2. Protect yourself by having your upstream police Police UDP to some
baseline you are comfortable with.
Concur 100%. Unfortunately, it's only a tiny minority who understand enough to even care - and even when individuals in that tiny minority are influential within large organizations with global impact, all too often they can't get those kinds of measures implemented due to factors and priorities which are beyond their control.
As you yourself know, through hard-won experience.
Is anyone maintaining a list of good, bad and ugly providers in terms of how seriously they take things they should like BCP38 and community support and whatever else that's quantifiable?
It's to protect yourself, as well. You should do it all the way down to the transit customer aggregation edge, all the way down to the IDC access layer, etc.
2. Protect yourself by having your upstream police Police UDP to some
baseline you are comfortable with.
This will come back to haunt you, when the programmatically-generated attack traffic 'crowds out' the legitimate traffic and everything breaks.
You can only really do this for ntp.
3. Have RTBH ready for some special case.
S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).
I’m stuck trying to find a virtual router environment that I can play with flowspec on. We do have some Juniper routers, but they are in production and I don’t think I want to touch flowspec on them just yet.
Does anyone have any experience or any ideas here? Even openbgpd?
To quote a presentation I heard at a conference regarding small routers, "Buy bigger rooters, bitches." (Yes, I know it isn't that simple, but most of the audience at that conference had purchasing authority.)
Not all networks are doing what they're supposed to be (I'm on that list), but if no one ever does anything because not everyone else is, then nothing ever gets done.
I'm not saying what you're doing is wrong, I'm saying whatever the industry as a whole is doing obviously isn't working and perhaps a different approach is required.
Security teams? My network has me, myself and I.
If for example ChinaNet's abuse department isn't doing anything about complains, eventually their whole network gets blocked a /32 at a time. *shrugs* Their loss.
It's to protect yourself, as well. You should do it all the way down to
the transit customer aggregation edge, all the way down to the IDC access
layer, etc.
2. Protect yourself by having your upstream police Police UDP to some
baseline you are comfortable with.
This will come back to haunt you, when the programmatically-generated
attack traffic 'crowds out' the legitimate traffic and everything breaks.
You can only really do this for ntp.
I do it for all UDP. There are bw policers and pps policers. As I said,
this is known to work for me. YMMV.
It is a managed risk, like anything. There are no silver bullets.
I feel bad for people developing things like QUIC and WebRTC on UDP. But.
i have already informed them of this risk to using UDP instead of a new L4
protocol.
Protip: UDP is a cesspool. Don't build things on a cesspool where the vast
majority of traffic is illegitimate. Guilty by association is a real
thing.
I'm not saying what you're doing is wrong, I'm saying whatever the industry as a whole is doing obviously isn't working and perhaps a different approach is required.
You haven't recommended anything new, and you really need to do some reading in order to understand why it isn't as simple as you seem to think it is.
Security teams? My network has me, myself and I.
And a relatively small network, too.
If for example ChinaNet's abuse department isn't doing anything about complains, eventually their whole network gets blocked a /32 at a time. *shrugs* Their loss.
But I've said for years (despite some people saying I am confused) that BCP38 is the single most important thing we can do to cut DDoS.
No spoofed source means no amplification. It also stops things like Kaminsky DNS attacks.
There is no silver bullet. Security is a series of steps ("layers" as one highly respected security professional has in his .sig). But the most important layer, the biggest bang for the buck we can do today, is eliminated spoofed source.
Push on your providers. Stop paying for transit from networks that do not filter ingress, put it in your RFPs, and reward those who do with contracts. Make it economically advantageous to fix the problem, and people will.
But I've said for years (despite some people saying I am confused) that BCP38 is the single most important thing we can do to cut DDoS.
No spoofed source means no amplification. It also stops things like Kaminsky DNS attacks.
There is no silver bullet. Security is a series of steps ("layers" as one highly respected security professional has in his .sig). But the most important layer, the biggest bang for the buck we can do today, is eliminated spoofed source.
Push on your providers. Stop paying for transit from networks that do not filter ingress, put it in your RFPs, and reward those who do with contracts. Make it economically advantageous to fix the problem, and people will.