Over a decade of DDOS--any progress yet?

Mailman List Mirror (Read Only)
1

May be. Anyway, under ddos attack, your links may be congested, and you
need to recover them. You have small margin to move. The farther
upstream the attack is repelled, the better chances you have for
restoring connectivity.

De: deleskie@gmail.com
Fecha: 08/12/2010 12:31
Para: "Drew Weaver"<drew.weaver@thenap.com>
CC: "alvaro.sanchez@adinet.com.uy"<alvaro.sanchez@adinet.com.uy>,

"rdobbins@arbor.net"<rdobbins@arbor.net>, "North American Operators'
Group"<nanog@nanog.org>

Asunto: Re: Over a decade of DDOS--any progress yet?

+1

Yes, but this obviously completes the 'DDoS attack' and sends the

signal that the bully will win.

-Drew

From: alvaro.sanchez@adinet.com.uy [mailto:alvaro.sanchez@adinet.

com.uy]

Sent: Wednesday, December 08, 2010 8:46 AM
To: rdobbins@arbor.net; North American Operators' Group
Subject: Re: Over a decade of DDOS--any progress yet?

A very common action is to blackhole ddos traffic upstream by

sending a

bgp route to the next AS with a preestablished community indicating

the

traffic must be sent to Null0. The route may be very specific, in

order

to impact as less as possible. This needs previous coordination

between

providers.
Regards.

De: rdobbins@arbor.net
Fecha: 08/12/2010 10:53
Para: "North American Operators' Group"<nanog@nanog.org>
Asunto: Re: Over a decade of DDOS--any progress yet?

 One big problem \(IMHO\) of DDoS is that sources \(the host of

botnets) may be completely unaware that they are part of a DDoS. I

do

not mean the bot machine, I mean the ISP connecting those.

The technology exists to detect and classify this attack traffic,

and

is deployed in production networks today.

And of course, the legitimate owners of the botted hosts are

generally unaware that their machine is being used for nefarious
purposes.

 In the other hand the target of a DDoS cannot do anything to

stop

to attack besides adding more BW or contacting one by one the whole
path of providers to try to minimize the effect.

Actually, there're lots of things they can do.

 I know that this has many security concerns, but would it be

good

a signalling protocol between ISPs to inform the sources of a DDoS
attack in order to take semiautomatic actions to rate-limit the

traffic

as close as the source? Of course that this is more complex that

these