[SECURITY] Application layer attacks/DDoS attacks

Hello there,

As a reaction to the increasing demand -from enterprises- over the DDoS
protection services, a fierce competition between vendors is about to start
in this playground, big upfront investments started to happen in the tier
one, tier two and tier three ISPs, IMHO this will have its aggressive
effect on the volume of the DDoS attacks, and will eventually steer the
mindset of the enterprises towards hosting the most critical
applications/services in a well geographically-dispersed cloud and
increasing the surface area using anycast then relatively decreasing the
attack volume.

Back to the DDoS protection, most anti-DDoS vendors are marketing their
products as application layer attack DDoS defense, I am little bit
confused; aren't the application firewalls" -either integrated in a "NGFW
or a UTM"- the responsible for mitigating application layer attacks?



To many pieces to answer on a weekend on NANOG, but those of us that work
in the DDoS space the last number of years have seen huge growth in the
application layer attacks. This does not mean a decrease in volumetric
attack, just that now you have to worry about both and lots of each. FW's
while they have got better are still not the solution for many reasons.
Moving things to the "cloud" helps in come cases but not all. This is an
arms race, the better we protecting the better the "bad guys" get at




Just to ask, what is the expected effect on DDoS attacks if folks
implemented BCP38?

How does the cost of implementing BCP38 compare to the cost of other
solution attempts?


Yes Harlan, you are absolutely right, even if this won't stop the
botnet-based DDoS attacks, but at least will significantly decrease the
volume/frequency of the volume based attacks.

On the other side, the DDoS protection now become a business where
all-tiers ISPs make money of, and those ISPs is the exact place where the
implementation of anti-spoofing make the best sense, conflict of interests

However, the trusted network initiative might be a good approach to start
influencing operators to apply anti-spoofing mechanisms.



While I don't think any ISP "wants DDoS" to make $$, I do based on
experience believe that business cases have to be made for everything.
With the prices pay for BW in most of the world now, ( or the last number
of years) its going to be VERY hard to get anyone to allocated time/$$ or
energy to do anything they don't need to, to get the bit to you.


explain how you think the 'trusted network initiative' matters in the slightest?


The idea of restricting access to a certain content during an attack on the
"trusted networks" only will make all interested ISPs be more "trusted"


The idea of restricting access to a certain content during an attack
on the "trusted networks" only will make all interested ISPs be more

don't the lawyers already have enough money?

Without a concomitant increase in "trustworthy", assigning greater levels of trust is fools endeavour. Whatever this trusted network initiative is, I take that it was designed by fools or government (the two are usually indistinguishable) for the purpose of creating utterly untrustworthy networks.


  I agree, we can't even get everyone including some LARGE ( I'll avoid
Tier's because people get stupid around that too) networks to filter
customers based on assigned netblocks.


AFAICT, the 'Trusted Network Initiative' largely consists of 'all the cool kids should do multilateral peering at AMS-IX and NL-ix across vl112':



Customer of my customer [of my customer, of my customer . . . ].

It's customers all the way down.